HQ/EMEAFind out how we can help your business
A sophisticated cyber campaign is actively targeting prominent organisations across Southeast Asia using stealth attacks to infiltrate and compromise critical systems.
These techniques are extremely covert, allowing attackers to avoid detection while infecting high-level targets, such as government agencies in Taiwan, military organisations in the Philippines, and energy sectors in Vietnam.
The two stealth attacks used in this campaign are GrimResource and AppDomainManager Injection.
The first of these attacks is called “GrimResource,” and it uses a unique strategy to run arbitrary code by taking advantage of flaws in the Microsoft Management Console (MMC). The first step in this strategy is to download a ZIP file via phishing emails or illegal websites. A seemingly harmless document with a Windows certificate or PDF icon can be found inside the ZIP file. But in reality, the file is a Management Saved Console (MSC) file, a type that hackers are increasingly using since it can get over conventional security safeguards.
The core of these stealth attacks is GrimResource, which makes use of a cross-site scripting (XSS) vulnerability in Windows’ Authentication Protocol Domain Support (APDS) module that goes six years back, enabling the malicious JavaScript that is encoded in the MSC file to be executed by the attackers. This script downloads and runs a genuine, signed Microsoft executable that has been renamed to avoid suspicion as soon as it is opened. The file increases the effectiveness of these attacks by acting as an instrument for the launch of additional malicious payloads.
The second method, called “AppDomainManager Injection,” provides more evidence of how clever these stealth attacks can be. This technique uses the AppDomainManager class to manipulate the .NET framework in order to introduce malicious code into apps. By specifying particular environment variables or uploading a custom configuration file, AppDomainManager Injection streamlines the procedure in contrast to traditional DLL side-loading, which is more frequently employed in malware campaigns. This process gives the attacker the ability to take control of the runtime environment of the application and use it as a tool to carry out their malicious objectives.
Researchers have noted that while AppDomainManager Injection has been around for several years, it has rarely been observed in the wild, making its use in this campaign particularly noteworthy. The attackers’ use of this technique alongside GrimResource has drawn comparisons to China’s APT41, a well-known advanced persistent threat group.
Experts warn that detecting and defending against these stealth attacks can be extremely difficult, especially if they are deployed together. Security experts stress the significance of taking preventative action, particularly related to email security, to stop these attacks before they have a chance to establish a foothold.
