Attack chains carried out by the organization have included a collection of backdoors that have never been published before, including TunnelSpecter and SweetSpecter. These backdoors are variations of the notorious Gh0st RAT, a tool that Beijing government threat actors frequently utilize in their espionage activities.

The moniker "TunnelSpecter" refers to the extra layer of stealth that it provides through data exfiltration via DNS tunneling. Conversely, SweetSpecter got its name from its resemblance to SugarGh0st RAT, a customized version of Gh0st RAT that has been utilized since August 2023 by an alleged threat actor who speaks Chinese.

The adversary can enter their targets' networks covertly thanks to both backdoors, and they can also use them to carry out arbitrary commands, steal data, and install more malware and tools on the compromised servers. The threat actor seems to keep a close eye on current geopolitical events and makes daily attempts to exfiltrate data.

This is accomplished by making deliberate attempts to break into targets' mail servers and search them for relevant content. In certain situations, this involves making repeated attempts to re-enter the system after the attackers' actions were discovered and stopped. By taking advantage of well-known Exchange server vulnerabilities like ProxyLogon and ProxyShell, initial access is achieved.

The threat actor conducted a keyword search and exfiltrated whatever relevant they could uncover, including whole archived inboxes associated with specific individuals or diplomatic missions. The threat actor also stole files on subjects they were looking for. The usage of operational infrastructure that is only available to China-nexus groups like APT27, Mustang Panda, and Winnti, as well as resources like the China Chopper web shell and PlugX, further ties the Chinese to Operation Diplomatic Specter.

The exfiltration methods seen during Operation Diplomatic Specter offer a clear view into the potential strategic goals of the threat actor responsible for the attacks. The threat actor sought sensitive information, including specifics regarding foreign affairs ministries, diplomatic missions and embassies, and military operations.

Impact

• Cyber Espionage
• Credential Theft
• Sensitive Data Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• labour.govu.ml
• govm.tk

IP

• 103.108.192.238
• 103.149.90.235
• 192.225.226.217
• 194.14.217.34
• 103.108.67.153

MD5

SHA-256

• 0e0b5c5c5d569e2ac8b70ace920c9f483f8d25aae7769583a721b202bcc0778f
• 62dec3fd2cdbc1374ec102d027f09423aa2affe1fb40ca05bf742f249ad7eb51
• 0b980e7a5dd5df0d6f07aabd6e7e9fc2e3c9e156ef8c0a62a0e20cd23c333373
• d5a44380e4f7c1096b1dddb6366713aa8ecb76ef36f19079087fc76567588977

SHA-1

• a481201463b42e6caeedb7c0f72d5d40845d41c8
• 40ac6f9f097bc048f3b57b76c3f9535c9f8a82b8
• fc9e5233f24b0eca8ba2d09014f5c51583a1c7b0
• d4f45476a00589b6a92f175bbca5c8f1a39a77d5

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.