A new 'top-tier' Chinese espionage group is stealing sensitive data

Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets

Chinese hacker concept image showing hands typing on keyboard with People's Republic of China flag in background.
(Image credit: Getty Images)
Emma Woollacott's avatar
By
published
in News

A newly-discovered threat group linked to China is targeting governments, the military, and other critical bodies across Africa, the Middle East, and Asia for espionage.

Palo Alto Networks said the group, which it has dubbed Phantom Taurus, belongs in the top tier of global threats.

"This is largely due to their targeting of both high-level geopolitical intelligence and entities (embassies, foreign ministries, diplomats) and critical telecommunications infrastructure, making them very much a dual threat," the researchers warned.

30% off Keeper Security's Business Starter and Business plans

30% off Keeper Security's Business Starter and Business plans

<p>Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
View Deal

Phantom Taurus has been operating for two years, using a distinctive set of tactics, techniques, and procedures (TTPs) that allow it to conduct highly covert operations.

Alongside more common tools, such as China Chopper, the Potato suite, and Impacket, the group uses customized tools, including the Specter malware family and Ntospy. It's also been able to maintain long-term access to critical targets through a custom-built malware suite called NET-STAR.

Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from email servers – but has more recently shifted to the direct targeting of databases using a script named mssq.bat.

This connects to an SQL Server database with a given server name, a user ID named sa (system administrator), and a password that the attackers previously obtained. It then reads the SQL query provided in the command-line arguments by the group's operators, allowing dynamic searching for tables and specific keywords.

Finally, it executes the provided query and returns the results that match the user's search, exports the results to a CSV file, and closes the database connection.

Perhaps most significantly, the group is using a new and undocumented malware suite, NET-STAR, designed to target Internet Information Services (IIS) web servers.

"The NET-STAR malware suite demonstrates Phantom Taurus' advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers," the researchers said.

The suite consists of three distinct web-based backdoors, each carrying out a specific role in the attack chain, while maintaining persistence within the target's IIS environment.

IIServerCore is a fileless modular backdoor that supports in-memory execution of command-line arguments, arbitrary commands and payloads; AssemblyExecuter V1 loads and executes additional .NET payloads in memory; and AssemblyExecuter V2 is an enhanced version of AssemblyExecuter V1 that's also equipped with Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities.

Palo Alto Networks has published indicators of compromise here, and has upgraded its Advanced WildFire machine-learning models and Cortex XDR to give better protection. It said it has also shared its findings with fellow Cyber Threat Alliance (CTA) members, and is recommending that they do the same.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸