A previously undocumented threat actor of unknown origin has been linked to multiple attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
The Symantec Threat Hunter team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT), which it tracks under the name Grayling. Evidence suggests that the campaign began in February 2023 and continued until at least May 2023.
A government agency based in the Pacific Islands, as well as entities in Vietnam and the US, are also likely to be targeted as part of the activity.
“This activity was revealed by Grayling’s use of a specific DLL side-loading technique, which uses a custom decryptor to deploy the payload,” the company said in a report. “The motivation driving this activity appears to be intelligence gathering.”
Initial access to the victim environment is said to have been gained by exploiting public-facing infrastructure, followed by deployment of a web shell for continued access.
The attack chains leverage DLL side-loading via SbieDll_Hook to load a variety of payloads, including the Cobalt Strike, NetSpy and Havoc frameworks, as well as other tools such as Mimikatz. Grayling has also been observed killing all processes listed in a file called processlist.txt.
DLL side-loading is a popular technique used by a variety of threat actors to trick the Windows operating system into getting around security solutions and executing malicious code on the target endpoint.
This is often accomplished by placing a malicious DLL with the same name as a legitimate DLL used by an application in a location where it will be loaded before the genuine DLL by taking advantage of the DLL search order mechanism.
“Once they gain initial access to a victim’s computer, attackers take various actions, including escalating privileges, network scanning, and using downloaders,” Symantec said.
The use of DLL side-loading in relation to SbieDll_Hook and SandboxieBITS.exe was previously seen in the case of the Naikon APT in attacks targeting military organizations in Southeast Asia.
To date there is no evidence to suggest that the adversary has engaged in any type of data intrusion, suggesting that the intentions are towards reconnaissance and intelligence gathering.
The use of publicly available tools is seen as an attempt to complicate attribution efforts, while process termination indicates avoiding detection evasion as a preference for remaining under the radar for long periods of time.
“The heavy targeting of Taiwanese organizations suggests that they likely operate from areas of strategic interest in Taiwan,” the company said.
