While the operations of UNC4191 have had an impact on a variety of public and private sector organisations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, the systems specifically targeted by UNC4191 were also discovered to be physically based in the Philippines, even when targeted organisations were based in other countries.

The threat actor used legally signed binaries to side-load malware, including three new families we’ve named MISTCLOAK, DARKDEW, and BLUEHAZE, after the malware was first infected via USB devices. A reverse shell and a renamed NCAT binary were deployed after a successful penetration, giving the threat actor backdoor access to the victim’s machine.

Mandiant has seen threat actors asking domain and local group permissions (T1069.001, T1069.002) and counting domain trusts (T1482) over a period of several minutes (Figure 1). Using the techniques of sequencing or clustering, we can lower the number of intriguing events to a reasonable number despite the fact that the aggregate event count for all three approaches occuring independently can reach the hundreds of thousands.

Mandiant team reports that the malware infection chain consist of three phases which uses below listed tools.

Malware FamilyDescription
MISTCLOAKMISTCLOAK is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
BLUEHAZEBLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
DARKDEWDARKDEW is a dropper written in C++ that is capable of infecting removable drives.
NCATNCAT is a command-line networking utility that was written for the Nmap Project to perform a wide-variety of security and administration tasks. While NCAT may be used for legitimate purposes, threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.

“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant. “ reads the report.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s