An ongoing cyber attack campaign originating from China has been detected, specifically targeting the Southeast Asian gambling sector. The campaign involves the deployment of Cobalt Strike beacons on compromised systems.
Security firm SentinelOne has identified the Bronze Starlight threat actor behind these attacks, which has a history of using short-lived ransomware families as a cover for its espionage activities. The attackers exploit vulnerabilities in software like Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan to carry out their operations.
The campaign’s tactics and procedures exhibit similarities with an intrusion set named Operation ChattyGoblin, as well as a supply chain attack that used a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The interconnected relationships among various Chinese nation-state actors make attribution a challenge. The attackers utilize modified installers for chat applications to download a .NET malware loader, which retrieves a second-stage ZIP archive from Alibaba buckets. This ZIP file contains components for executing a Cobalt Strike beacon, including a legitimate executable susceptible to DLL hijacking, a malicious DLL, and an encrypted data file.
One of the .NET malware loaders used in the campaign is signed with a certificate stolen from the Singapore-based VPN provider Ivacy VPN. The attackers employ HUI Loader variants, a custom malware loader frequently used by China-based groups like APT10, Bronze Starlight, and TA410.
This pattern of shared malware, infrastructure, and tactics underscores the collaborative nature of China-nexus threat actors. The campaign serves as a reminder of the complex and evolving nature of the Chinese cyber threat landscape.
