ChamelGang | |
Other Names | CamoFei |
Location | China |
Date of Initial Activity | 2021 |
Suspected Attribution | Cybercriminals |
Motivation | Espionage |
Associated Tools | CatB Ransomware BestCrypt BitLocker |
Software | Servers |
Overview
In the realm of cyberespionage, ChamelGang stands out as a particularly sophisticated and dangerous threat actor. Believed to be a Chinese Advanced Persistent Threat (APT) group, ChamelGang has demonstrated a disturbing trend of targeting critical infrastructure and high-profile organizations worldwide. Their operations are characterized by a blend of traditional espionage techniques and modern cyber capabilities, making them a significant player in the landscape of cyber threats.
ChamelGang has garnered attention for its strategic use of ransomware in cyberattacks, employing it as both a tool for financial gain and a means of disrupting or distracting targeted entities. This approach reflects a broader trend where cyberespionage groups leverage ransomware not merely for extortion but as a strategic weapon in their broader operations. Their attacks are marked by a high degree of sophistication, utilizing custom malware and advanced techniques to infiltrate and compromise their targets.
One of the group’s most notable operations involved high-profile intrusions in 2022, targeting the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil. These attacks, publicly disclosed as ransomware incidents, have yet to be officially attributed but show clear indicators of ChamelGang’s involvement. Their choice of targets and the nature of their attacks align with known patterns of behavior, suggesting a calculated approach to cyberespionage that blends financial motivations with strategic objectives.
ChamelGang’s activities extend beyond ransomware, encompassing a wide range of tactics aimed at critical infrastructure and government organizations. Their operations in East Asia and the Indian subcontinent, including attacks on aviation sectors, underscore their capability and intent to disrupt essential services and governmental functions. The group’s use of custom tools and malware, such as BeaconLoader and CatB ransomware, highlights their advanced technical proficiency and persistent threat.
Common Targets
- Information
- Public Administration
- Manufacturing
- Health Care and Social Assistance
- Retail Trade
- Accommodation and Food Services
- India
- Brazil
- United States
- Russia
- Taiwan
- Japan
Attack vectors
Supply Chain
Associated Tools
CatB Ransomware: This is a custom ransomware variant attributed to ChamelGang. CatB is used to encrypt data on compromised systems, demanding ransom payments from victims. The ransomware’s use has been linked to high-profile attacks on institutions like AIIMS and the Presidency of Brazil.
BeaconLoader: This custom malware tool is used by ChamelGang for various purposes, including establishing initial access and maintaining persistence on compromised systems. BeaconLoader is part of their arsenal for infiltrating and controlling targeted networks.
BestCrypt: An off-the-shelf encryption tool that ChamelGang has used to encrypt data on infected systems. BestCrypt is normally employed for legitimate data protection but is exploited by the group to conduct ransomware attacks.
BitLocker: Another legitimate encryption tool, BitLocker, has been used by ChamelGang in their attacks to encrypt data on compromised systems. Similar to BestCrypt, BitLocker is used in a malicious context to execute ransomware operations.
How they work
At the core of ChamelGang’s operations is their methodical approach to initial access. The group often uses phishing campaigns to target high-value individuals within organizations, tricking them into executing malicious payloads. These campaigns are meticulously crafted to exploit vulnerabilities in human behavior and organizational defenses. Additionally, ChamelGang has been observed using exploit public-facing applications to gain unauthorized access, leveraging known vulnerabilities in software that is accessible over the internet.
Once inside a network, ChamelGang employs various execution techniques to solidify their foothold. They commonly utilize command and scripting interpreters like PowerShell to execute their payloads, allowing them to perform a range of malicious activities under the radar. Scheduled tasks are also frequently created to ensure their malware runs at specific intervals, maintaining persistence and avoiding detection.
Persistence is a key aspect of ChamelGang’s strategy. They employ tactics such as modifying registry run keys and placing malicious executables in startup folders to ensure their malware persists across system reboots. This approach allows them to maintain control over compromised systems and continuously exploit their access.
Privilege escalation is another critical phase in ChamelGang’s operations. The group utilizes exploitation for privilege escalation, taking advantage of software vulnerabilities or misconfigurations to elevate their access levels. Additionally, they may engage in access token manipulation to gain higher privileges and further entrench themselves within the network.
To evade detection, ChamelGang employs various defense evasion tactics. They often use obfuscated files or information to hide their malware from security solutions, making it harder for defenders to identify and mitigate their presence. File and directory discovery techniques are also used to navigate and map the target environment while avoiding detection.
ChamelGang’s activities frequently involve credential access operations. They utilize credential dumping techniques to extract authentication information from compromised systems, which can then be used to further infiltrate the network or launch additional attacks. In some cases, brute force methods are employed to guess and capture user credentials.
As they progress through their attack, ChamelGang performs extensive discovery to understand the target environment. They use network service scanning and system information discovery to identify critical assets and vulnerabilities that can be exploited for further exploitation.
Lateral movement is another key phase of ChamelGang’s strategy. They often use Remote Desktop Protocol (RDP) to navigate within the network and access additional systems. They also exploit Windows Admin Shares to move laterally and gather data across multiple systems.
The group’s collection tactics involve data from information repositories and input capture techniques to gather valuable information. This data is meticulously staged for exfiltration, often sent back to the attackers through established command and control channels.
Finally, ChamelGang’s operations often culminate in impactful actions such as data encryption for impact. They use ransomware like CatB to encrypt critical data, disrupting organizational operations and demanding ransom payments. This tactic not only causes significant operational disruption but also serves as a form of financial extortion.