A newly-discovered threat group linked to China is targeting governments, the military, and other critical bodies across Africa, the Middle East, and Asia for espionage.
Palo Alto Networks said the group, which it has dubbed Phantom Taurus, belongs in the top tier of global threats.
"This is largely due to their targeting of both high-level geopolitical intelligence and entities (embassies, foreign ministries, diplomats) and critical telecommunications infrastructure, making them very much a dual threat," the researchers warned.
Phantom Taurus has been operating for two years, using a distinctive set of tactics, techniques, and procedures (TTPs) that allow it to conduct highly covert operations.
Alongside more common tools, such as China Chopper, the Potato suite, and Impacket, the group uses customized tools, including the Specter malware family and Ntospy. It's also been able to maintain long-term access to critical targets through a custom-built malware suite called NET-STAR.
Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from email servers – but has more recently shifted to the direct targeting of databases using a script named mssq.bat.
This connects to an SQL Server database with a given server name, a user ID named sa (system administrator), and a password that the attackers previously obtained. It then reads the SQL query provided in the command-line arguments by the group's operators, allowing dynamic searching for tables and specific keywords.
Finally, it executes the provided query and returns the results that match the user's search, exports the results to a CSV file, and closes the database connection.
Perhaps most significantly, the group is using a new and undocumented malware suite, NET-STAR, designed to target Internet Information Services (IIS) web servers.
"The NET-STAR malware suite demonstrates Phantom Taurus' advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers," the researchers said.
The suite consists of three distinct web-based backdoors, each carrying out a specific role in the attack chain, while maintaining persistence within the target's IIS environment.
IIServerCore is a fileless modular backdoor that supports in-memory execution of command-line arguments, arbitrary commands and payloads; AssemblyExecuter V1 loads and executes additional .NET payloads in memory; and AssemblyExecuter V2 is an enhanced version of AssemblyExecuter V1 that's also equipped with Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities.
Palo Alto Networks has published indicators of compromise here, and has upgraded its Advanced WildFire machine-learning models and Cortex XDR to give better protection. It said it has also shared its findings with fellow Cyber Threat Alliance (CTA) members, and is recommending that they do the same.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Alkira names Bruce Hockin as new EMEA and APAC channel chiefnews Hockin will lead the vendor's channel growth strategy across the two regions as it looks to meet the growing demand for network infrastructure-as-a-service
-
Unlocking technology value: the essential role of TBM in modern IT managementManage spend, optimize costs, and drive greater value from your technology investments with TBM
-
Asahi production halted by cyber attackNews Yet another big brand suffers operational disruption following apparent hacking attack
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
A cyber attack has caused chaos at airports across Europe – here's everything we know so farNews Passengers at a string of European airports faced severe disruption
-
Simplifying Password Management eBookWhitepaper
-
Living off the Land eBookWhitepaper
-
The Public Sector's Guide to Privilege and Password ManagementWhitepaper
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting ProductivityWhitepaper
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
