mssq.bat that connects to an SQL database using the sa (system administrator) ID with a password previously obtained by the attackers. It then performs a dynamic search for specific keywords specified in the script, saving the results as a CSV file.”The threat actor used this method to search for documents of interest and information related to specific countries such as Afghanistan and Pakistan,” the researchers said.
NET-STAR malware suite: A newly discovered addition to Phantom Taurus’ toolset this year is a set of web-based backdoors designed to interact with IIS web servers.The main component, called IIServerCore, operates within the memory of the w3wp.exe IIS worker process and is capable of loading other fileless payloads directly into memory, executing arbitrary commands and command-line arguments.”The initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx,” the researchers wrote. “This web shell contains an embedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the backdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of IIServerCore.”Another component, called AssemblyExecuter V1, is designed to execute .NET assembly bytecode in memory, whereas the enhanced version, AssemblyExecuter V2, is capable of bypassing the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).”The component’s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal, at the time of writing this article,” the researchers said. “This demonstrates a technique that threat actors can use to create tools that avoid overt code, which detection systems might interpret as malicious.”Phantom Taurus uses APT operational infrastructure associated in the past exclusively with other Chinese threat actors, such as Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by Phantom Taurus have not been observed with the other groups, suggesting this is a separate group that compartmentalizes its operations.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4066651/chinese-apt-group-phantom-taurus-targets-gov-and-telecom-organizations.html
