HQ/EMEAFind out how we can help your business
The newly identified Grayling APT group has launched targeted attacks against Taiwanese organisations.
Based on reports, some of the industries targeted by this group are from the manufacturing, information technology (IT), and biomedical sectors. However, the impact of this threat is not exclusive to Taiwan, as the group’s malicious activities have also expanded to a government agency in the Pacific Islands, as well as Vietnamese firms and the United States.
The Grayling APT group uses DLL sideloading to launch their payloads.
The unique strategy for the Grayling APT group is the sideloading technique with a customised decryptor to deploy their payloads. Moreover, the group’s attack process includes the exploitation of flaws in the public infrastructure to gain initial access.
Recent research also indicates that the attackers have been deploying web shells on specific victim computers even before they start the DLL sideloading technique. Subsequently, the attack process will deploy malicious payloads, such as Cobalt Strike, NetSpy, and the Havoc framework, after a successful sideloading process.
During the post-access operation, the group will escalate their privileges, scan the network, and deploy downloaders. The group also leveraged various techniques to execute their campaigns, such as exploiting CVE-2019-0803, Active Directory discovery and using the Mimikatz tool to upgrade their weapons.
Further investigations also noted that there is no direct data exfiltration with the attacks, but the strategies and tools employed by Grayling indicate that they want to gather intelligence. The targeted industries, such as manufacturing, IT, biomedical, and governmental agencies, are more prone to these attacks, especially from threat groups that only execute intelligence-gathering operations.
The exact origin of the Grayling APT group remains a mystery. However, the significant targeting of Taiwanese entities strongly implies a country with special interests in Taiwan could be the perpetrator of the campaigns.
Taiwanese organisations should be vigilant in cyberspace to defend themselves against this emerging threat. They should also consider patching the CVE-2019-0803 flaw to avoid exploits from this new group.
Lastly, the compromised organisations should quickly adapt to the evolving tactics of this threat to prevent future campaigns from occurring again.
