A suspected cyber espionage operation believed to be originating from China has been targeting military organizations in Southeast Asia as part of a state-sponsored campaign that has been ongoing since at least 2020.
Security researchers at Palo Alto Networks Unit 42 have been monitoring this threat activity, which they have named CL-STA-1087, with “CL” standing for cluster and “STA” representing state-backed motivation.
The attackers behind this campaign have been focused on acquiring highly specific files related to military capabilities, organizational structures, and collaborations with Western armed forces, rather than engaging in bulk data theft. This strategic approach demonstrates operational patience and a deliberate intelligence collection strategy.
The operation displays characteristics typically associated with advanced persistent threat (APT) tactics, including sophisticated delivery methods, evasion techniques, stable infrastructure, and custom payload deployment to ensure prolonged unauthorized access to compromised systems.
Among the tools used by the threat actor are backdoors named AppleChris and MemFun, along with a credential harvester known as Getpass.
The initial detection of the intrusion set was triggered by suspicious PowerShell execution, leading to the establishment of reverse shells connecting to a command-and-control (C2) server controlled by the threat actor. The exact method of initial access remains unknown.
The infection process involves the deployment of AppleChris variants across targeted endpoints after lateral movement to maintain persistence and evade detection. The threat actors have shown interest in military organizational structures, strategies, and systems, particularly in areas such as command, control, communications, computers, and intelligence (C4I).
Both AppleChris and MemFun utilize a shared Pastebin account as a dead drop resolver to retrieve C2 information stored in Base64 format. The malware variants also employ sandbox evasion tactics and advanced network proxy capabilities to avoid detection.
MemFun, in particular, uses a multi-stage chain process to establish communication with the C2 server and execute the backdoor payload. This dynamic behavior allows threat actors to easily deliver additional payloads without modifying the core functionality of the malware.
Additionally, a custom version of Mimikatz called Getpass is used in the attacks to escalate privileges and extract authentication data from system processes.
Overall, the threat actor behind this cyber espionage campaign has demonstrated operational patience, precision intelligence collection, and robust security measures to ensure the longevity of their operation.
