A “multi-year” Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political and government organizations.
Recorded Future’s Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to “Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea , Japan, and Russia.”
The cybersecurity firm described the targeting of South Korean educational institutions as consistent with China’s broader efforts to steal intellectual property and expand its influence, not to mention motivated by the country’s strategic ties with the US.
Social engineering attacks mounted by the adversary make use of Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which subsequently serves to deploy the Bisonal remote access trojan.
ReVBShell is configured to sleep for a specified interval via a command issued from a remote server that can edit the time period. It also uses Base64 encoding to hide command-and-control (C2) traffic.
The use of ReVBShell has been linked to two other China-Nexus groups known as Tick and Tonto Team, the latter attributed to a similar infection sequence by the AhnLab Security Emergency Response Center (ASEC) in April 2023.
Bisonal is a multifunctional Trojan that can collect process and file information, execute commands and files, terminate processes, download and upload files, and delete arbitrary files on disk.
The TAG-74 is said to be closely related to the Tick, once again highlighting the tool sharing prevalent among Chinese threat groups.
“The observed TAG-74 operation is indicative of the group’s long-term intelligence collection objectives against South Korean targets,” Recorded Future said.
“Given the group’s persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theater Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia.”