GoKawiilChinese-nexus threat actors attacked targets in Qatar in the days after the first US-Israeli strike in Iran, signalling a shift in regional strategy for China-backed advanced persistent threat (APT) groups as they pivot in response to geopolitical events.
The threat actor Camaro Dragon aimed to deploy a variant of PlugX malware against various Qatari entities using lures associated with the conflict within one day of the launch of the so-called Operation Epic Fury" offensive, Check Point Software revealed in a blog post this week. A separate attack on a Qatari target also aimed to deploy the penetration testing tool Cobalt Strike via DLL hijacking, a technique also associated with China-nexus groups.
Chinese threat actors typically don't target the Gulf region as much as other parts of the Middle East, demonstrating a shift in targeting in the wake of the current war against Iran, according to Check Point. The ongoing conflict quickly spread to other Middle Eastern countries such as Qatar, United Arab Emirates, and Bahrain, where the US has military bases against which Iran has retaliated.
Related:Iran MOIS Colludes With Criminals to Boost Cyberattacks
"In the immediate aftermath of the escalation in the Middle East, Check Point Research observed at least two separate threat actors targeting entities in Qatar using conflict-related lures tailored to blend into the region's fast-moving communications environment," the blog post stated. "Taken together, these intrusions highlight how rapidly China-nexus espionage actors can pivot in response to geopolitical events."
Using the Iranian Conflict as Bait
Both attacks relied on content related to the Iranian conflict as lures for malicious emails, likely aiming "to blend into legitimate, fast-moving regional communications" and thus appear as legitimate, according to Check Point.
The attack attributed to Camaro Dragon delivered a malicious archive disguised as photos of attacks on American bases in Bahrain. When executed, an LNK file from the archive kicks off an "unusually long infection chain" that contacts a compromised server to retrieve the next-stage payload, according to Check Point.
Eventually the attack abused DLL hijacking of a legitimate Baidu NetDisk binary to deploy the PlugX backdoor, a modular malware associated with multiple Chinese-nexus threat actors since at least 2008. Recently, the FBI said it successfully deleted PlugX from thousands of devices globally as part of a cooperative effort; however, this recent use suggests it's still in play among threat actors.
As its name suggests, PlugX's architecture is plug-in-based, enabling remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and remote command execution.
... continue reading