Threat Intel - China-Linked APT CL-STA-1087 Targets Militaries
Basically, a group linked to China has been spying on Southeast Asian militaries since 2020.
A China-linked APT group has been targeting Southeast Asian militaries since 2020. Their advanced malware campaigns focus on espionage, raising serious security concerns. Organizations need to bolster defenses against these sophisticated threats.
The Threat
The espionage campaign known as CL-STA-1087 has been active since 2020, primarily targeting military organizations in Southeast Asia. This group is suspected to be linked to China and utilizes sophisticated malware, specifically AppleChris and MemFun, to infiltrate and gather intelligence. The campaign is characterized by its strategic operational patience and a focus on collecting specific military intelligence rather than engaging in bulk data theft.
The attackers have shown a high level of sophistication in their methods. They maintain persistence on compromised systems by using scripts to create reverse shells, allowing them to communicate with multiple command and control (C2) servers. This long-term intrusion strategy enables them to remain undetected for extended periods, resuming operations after months of dormancy.
Who's Behind It
The group behind CL-STA-1087 demonstrates a clear connection to China, as indicated by the tools and tactics they employ. Their operations reflect a deep understanding of military structures and capabilities, suggesting that they are not merely opportunistic hackers but rather a well-organized threat actor focused on espionage. The use of advanced malware like AppleChris, which has evolved to include features such as DLL hijacking and sandbox evasion, underscores their technical expertise.
Additionally, the attackers employ a modular backdoor system, with MemFun being a key component. This malware operates entirely in memory, making it difficult to detect and analyze. The infrastructure supporting these operations has been active for several years, indicating a sustained commitment to their espionage objectives.
Tactics & Techniques
CL-STA-1087 utilizes a variety of tactics to achieve its goals. They deploy malware such as AppleChris and MemFun, which are designed to evade detection while harvesting sensitive military data. AppleChris has been observed using custom HTTP verbs and a dead drop resolver via Pastebin to dynamically reach C2 servers, showcasing its adaptability.
The malware is capable of executing commands for file access, remote shells, and process control, all while maintaining a low profile on the network. MemFun, on the other hand, employs anti-forensic techniques like timestomping to obscure its presence, making it a formidable tool in the attackers' arsenal. These tactics reflect a high level of sophistication and planning, aimed at maximizing the effectiveness of their espionage efforts.
Defensive Measures
To defend against threats like CL-STA-1087, organizations, especially military ones, should adopt a multi-layered security approach. This includes implementing robust endpoint protection solutions capable of detecting advanced malware behaviors. Regular security audits and threat intelligence updates can help organizations stay informed about emerging threats.
Moreover, training personnel to recognize suspicious activities and potential phishing attempts is crucial. By fostering a culture of security awareness, organizations can reduce the risk of successful intrusions. Finally, maintaining updated systems and applying security patches promptly can help mitigate vulnerabilities that might be exploited by sophisticated threat actors like CL-STA-1087.
Security Affairs