Symantec威胁猎人团队揭示Grayling APT的攻击活动

A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.

一位以前未被记录的、来源不明的威胁行动者已与台湾制造业、IT和生物医学领域的多个组织的攻击联系在一起。

The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling. Evidence shows that the campaign began in February 2023 and continued until at least May 2023.

Broadcom的Symantec威胁猎人团队将这些攻击归因于一种被称为Grayling的高级持续性威胁（APT）。证据显示，这一系列活动始于2023年2月，并持续至少到2023年5月。

Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S.

还有可能被这些活动的一部分所针对的是位于太平洋岛国的政府机构，以及越南和美国的实体。

"This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads," the company said in a report shared with The Hacker News. "The motivation driving this activity appears to be intelligence gathering."

“这一活动之所以引人注目，是因为Grayling使用了一种独特的DLL侧加载技术，该技术使用自定义解密器来部署载荷，”该公司在一份与The Hacker News分享的报告中说道。“这一活动背后的动机似乎是情报收集。”

The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure, followed by the deployment of web shells for persistent access.

据称，攻击者首次进入受害者环境是通过利用面向公众的基础设施，然后部署Web Shell以获得持续访问权限。

The attack chains then leverage DLL side-loading via SbieDll_Hook to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, alongside other tools like Mimikatz. Grayling has also been observed killing all processes listed in a file called processlist.txt.

然后，攻击链使用DLL侧加载通过SbieDll_Hook加载各种载荷，包括Cobalt Strike、NetSpy和Havoc框架，以及其他工具如Mimikatz。还观察到Grayling杀死了一个名为processlist.txt的文件中列出的所有进程。

DLL side-loading is a popular technique used by a variety of threat actors to get around security solutions and trick the Windows operating system into executing malicious code on the target endpoint.

DLL侧加载是一种常用的技术，被各种威胁行动者用来绕过安全解决方案，并欺骗Windows操作系统在目标端点上执行恶意代码。

This is often accomplished by placing a malicious DLL with the same name as a legitimate DLL used by an application in a location where it will be loaded before the actual DLL by taking advantage of the DLL search order mechanism.

通常，这是通过将一个恶意的DLL放置在一个与应用程序使用的合法DLL同名的位置来实现的，利用DLL搜索顺序机制。

"The attackers take various actions once they gain initial access to victims' computers, including escalating privileges, network scanning, and using downloaders," Symantec said.

Symantec表示，一旦攻击者获得对受害者计算机的初始访问权限，他们会采取各种行动，包括提权、网络扫描和下载器的使用。

It's worth noting that the use of DLL side-loading with respect to SbieDll_Hook and SandboxieBITS.exe was previously observed in the case of Naikon APT in attacks targeting military organizations in Southeast Asia.

值得注意的是，关于SbieDll_Hook和SandboxieBITS.exe的DLL侧加载的使用在之前观察到了Naikon APT的案例中，该APT曾针对东南亚的军事组织进行攻击。

Symantec told The Hacker News that it did not find any overlaps between Grayling and Naikon, but noted that "DLL side-loading is a pretty common technique for APT actors these days, particularly among actors operating out of China."

Symantec告诉The Hacker News，他们没有发现Grayling和Naikon之间的任何重叠，但指出“DLL侧加载是当今APT行动者中相当常见的技术，尤其是在某国行动者中。”

There is no evidence to suggest that the adversary has engaged in any form of data exfiltration to date, suggesting the motives are geared more toward reconnaissance and intelligence gathering.

目前没有证据表明对手已经进行了任何形式的数据外泄，这表明动机更多地是为了侦察和情报收集。

The use of publicly available tools is seen as an attempt to complicate attribution efforts, while process termination indicates detection evasion as a priority for staying under the radar for extended periods of time.

使用公开可用的工具被视为一种尝试使归因变得更加复杂，而进程终止表明检测逃避是保持长时间低调的优先事项。

"The heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan," the company added.

该公司补充说：“大量针对台湾组织的攻击表明他们很可能来自对台湾有战略兴趣的地区。”

原文始发于微信公众号（知机安全）：Symantec威胁猎人团队揭示Grayling APT的攻击活动