While the operations of UNC4191 have had an impact on a variety of public and private sector organisations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, the systems specifically targeted by UNC4191 were also discovered to be physically based in the Philippines, even when targeted organisations were based in other countries.
The threat actor used legally signed binaries to side-load malware, including three new families we’ve named MISTCLOAK, DARKDEW, and BLUEHAZE, after the malware was first infected via USB devices. A reverse shell and a renamed NCAT binary were deployed after a successful penetration, giving the threat actor backdoor access to the victim’s machine.
Mandiant has seen threat actors asking domain and local group permissions (T1069.001, T1069.002) and counting domain trusts (T1482) over a period of several minutes (Figure 1). Using the techniques of sequencing or clustering, we can lower the number of intriguing events to a reasonable number despite the fact that the aggregate event count for all three approaches occuring independently can reach the hundreds of thousands.
Mandiant team reports that the malware infection chain consist of three phases which uses below listed tools.
|MISTCLOAK||MISTCLOAK is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.|
|BLUEHAZE||BLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).|
|DARKDEW||DARKDEW is a dropper written in C++ that is capable of infecting removable drives.|
|NCAT||NCAT is a command-line networking utility that was written for the Nmap Project to perform a wide-variety of security and administration tasks. While NCAT may be used for legitimate purposes, threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.|
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant. “ reads the report.