Attackers pursued stealthy persistence: Following successful exploitation of the zero-day, attackers deploy a modified Go-based version of Chisel, an open-source SOCKS tunneling tool, scheduling it to run every four hours and establish covert tunnels to their C2 servers.This allowed them to move in and out of the network whenever they wanted, enabling persistence for over a year, even after initial infections were cleaned up.”We found through the landing time of the Chisel malware and the attack traffic time saved by the EDR that the attack time was from 9 pm to 6 am Beijing time,” the researchers said. “The working hours of this group were very fixed, and they never worked overtime or stole data after work hours. Based on the time zone analysis, we think the group is from a country in North America.” Domain registration by the group suggested that NightEagle’s targets shift in response to geopolitical developments, such as launching attacks on Chinese sectors using large AI models as the country’s AI markets expand, researchers noted.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4018080/nighteagle-hackers-exploit-microsoft-exchange-flaw-to-spy-on-chinas-strategic-sectors.html
