Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Government
3-Year Espionage Campaign Targeted Taiwanese Firms
A hacking group with links to the Chinese government is behind a three-year-long espionage campaign that targeted Taiwanese companies with a custom malware variant, researchers said.
See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach
Google Cloud attributed the campaign to APT24, a China-based hacking group that has been active since 2011. The latest campaign, which began in 2022, used multiple attack vectors to target Taiwanese companies using a malware variant called BADAUDIO.
“In July 2024, APT24 compromised a regional digital marketing firm in Taiwan – a supply chain attack that impacted more than 1,000 domains. Notably, the firm experienced multiple re-compromises over the last year, demonstrating APT24’s persistent commitment to the operations,” Google said.
The hacking group, also known as G0011, PITTY PANDA and Temp.Pittytiger, is largely focused on intellectual property theft relating to specific projects of strategic interest to China. The group has mainly targeted organizations in Taiwan and the United States in the healthcare, construction and engineering, mining and nonprofit sectors.
The hacking group deployed multiple variants of BADAUDIO, which is a first-stage downloader that collects basic system information to create persistence within victim networks. Because the hackers frequently shifted their initial access techniques, as well as combined it with malware upgrades, the hackers remained largely undetected, Google said.
For instance, the campaign initially began with the attackers relying on a watering hole technique, in which the attacker injected a malicious JavaScript payload to compromise 20 websites. The script contained the FingerprintJS library to identify victims who visited the websites, who were then shown a pop-up message that downloaded BADAUDIO malware, Google Cloud said.
Around July 2024, the attackers switched to supply chain compromises. The tactics involved hackers injecting malicious script into a widely used JavaScript library provided by a target. Using typosquatting that imitated a legitimate content delivery network, the attackers then delivered BADAUDIO.
By May of this year, the hackers switched to social engineering that used Google Drive and OneDrive to distribute encrypted archives containing BADAUDIO.
After initial access, hackers deployed the malware through search order hijacking, a tactic in which hackers ensure that Windows executes a hacker-planted, dynamic-link library file rather than a legitimate software file.
The malware then collects hostname, username and system architecture data. This information is then hashed and embedded within a cookie parameter in the command-and-control request header, which further helped the hackers to remain under the radar, Google said.
“This activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection,” Google said. Google said it took steps to disrupt the malware infrastructure disruption and it alerted customers affected by breaches.
