Kaspersky uncovers malware attack in Asia-Pacific region

Kaspersky ICS CERT has uncovered a campaign targeting government and industrial organisations in the Asia-Pacific region, employing legitimate online services to manage and spread malware.

The campaign has been identified as targeting several APAC countries and territories, including Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, and Vietnam. It involved deploying malware disguised as tax-related documents in zip archives, delivered through phishing via email and messaging platforms like WeChat and Telegram.

The multi-stage installation procedure led to the deployment of a backdoor named FatalRAT on victims' systems. This attack is marked by a shift in tactics, techniques, and procedures specifically aimed at Chinese-speaking targets, differing from previous campaigns using open-source remote access Trojans such as Gh0st RAT, SimayRAT, and Zegost.

The attackers utilised legitimate Chinese cloud services like myqcloud CDN and Youdao Cloud Notes, employing methods to evade detection, such as dynamic changes to control servers and malicious payloads, hosting files on legitimate web resources, exploiting vulnerabilities in recognised applications, and using legitimate software functionalities for malicious purposes.

Kaspersky has named this attack campaign "SalmonSlalom", drawing a parallel to the difficult process a salmon faces navigating upstream. "We repeatedly see threat actors using combinations of relatively simple attack methods and techniques nevertheless succeed in reaching out their targets even within the OT perimeter," stated Evgeny Goncharov, Head of Kaspersky ICS CERT. "This particular campaign serves as a warning to various industrial organisations in the APAC region."

The campaign remains unattributed to any specific group, but evidence suggests potential involvement of a Chinese-speaking threat actor, indicated by the use of Chinese-language services and interfaces.

Kaspersky recommends taking the following measures to avoid falling victim to the attack described above:

· Enable two-factor authentication for logging in to administration consoles and web interfaces of security solutions.

· Install up-to-date versions of centrally managed security solutions on all systems and update antivirus databases and program modules on a regular basis.

· Check that all security solution components are enabled on all systems and that active policies prohibit disabling protection and terminating or removing solution components without entering the administrator password.

· Check that security solutions receive up-to-date threat information (for instance, from Kaspersky Security Network) for those groups of systems where the use of cloud security services is not prohibited by law or regulations.

· Update operating systems and applications to versions currently supported by the vendors. Install the latest security updates (patches) for operating systems and applications.

· Deploy a SIEM system, for example, Kaspersky Unified Monitoring and Analysis Platform.

· Utilise EDR/XDR/MDR solutions for establishing a baseline regarding the most commonly observed grandparent-parent-child process relationship in OT environments. This highly recommended advice stems from our observation that a legitimate function of the legitimate binary was exploited to execute the subsequent staged payload.