top of page

Researchers Discover Grayling APT's Industry-Wide Attacks

A previously unreported threat actor with an unclear origin has been connected to several attacks against Taiwanese companies in the IT, industrial, and biomedical industries.

The attacks were ascribed to an advanced persistent threat (APT) known as Grayling by the Broadcom-owned Symantec Threat Hunter Team. Based on available data, the campaign started in February 2023 and ran through at least May 2023.

A government organisation in the Pacific Islands, as well as organisations in Vietnam and the United States, are probably also targets of this action.

The business said in a report provided with The Hacker News that "this activity stood out due to Grayling's use of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads." "The motivation driving this activity appears to be intelligence gathering."

After using web shells to get persistent access, the first foothold inside victim environments is said to have been obtained by taking use of infrastructure that is visible to the public.

Then, using SbieDll_Hook to enable DLL side-loading, the attack chains load a range of payloads, including as Mimikatz, Cobalt Strike, and NetSpy in addition to the Havoc framework. Additionally, Grayling has been seen to terminate every process included in a file named processlist.txt.

Many threat actors utilise the well-liked method of DLL side-loading to evade security measures and fool Windows into launching malicious code on the intended endpoint.

This is commonly achieved by using the DLL search order mechanism to place a malicious DLL with the same name as a genuine DLL used by an application in a location where it will load before the legitimate DLL.

"The attackers take various actions once they gain initial access to victims' computers, including escalating privileges, network scanning, and using downloaders," warned Symantec.

It's important to remember that DLL side-loading in relation to SbieDll_Hook and SandboxieBITS.exe was previously noted in the instance of Naikon APT assaults on Southeast Asian military institutions.

The Hacker News was informed by Symantec that while it did not see any similarities between Grayling and Naikon, "DLL side-loading is a pretty common technique for APT actors these days, particularly among actors operating out of China."

As of yet, there is no proof that the enemy has participated in any kind of data exfiltration, indicating that their goals are primarily focused on intelligence collection and reconnaissance.

The utilisation of publically accessible instruments is perceived as an endeavour to convolute attribution endeavours, whilst process discontinuation suggests that evading notice is a top concern in order to remain undetected for prolonged durations.

"The heavy targeting of Taiwanese organisations does indicate that they likely operate from a region with a strategic interest in Taiwan," the business stated.

37 views0 comments


bottom of page