Symantec identifies Grayling APT group targeting Taiwanese manufacturing, biomedical sectors

Researchers from Symantec’s Threat Hunter Team disclosed Tuesday the presence of Grayling, a previously unknown advanced persistent threat (APT) group that used custom malware and multiple publicly available tools. These hackers have targeted several organizations in the manufacturing, IT, and biomedical sectors in Taiwan. Furthermore, a government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S. also appear to have been hit as part of this campaign. 

The team identified that hacker activity began in February this year and continued until at least May.

Part of Broadcom, the Symantec team has attributed recent activity to the Grayling group, due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads. The motivation driving this activity appears to be intelligence gathering.

“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering,” the Symantec researchers wrote in a company blog post. “The sectors the victims operate in – manufacturing, IT, biomedical, and government – are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons.” 

The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders, according to the post. 

“Tools like Havoc and Cobalt Strike are also frequently used by attackers due to their wide array of capabilities. It is often easier for even skilled attackers to use existing tools like this than to develop custom tools of their own with similar capabilities,” the researchers identified. “The use of publicly available tools can also make attribution of activity more difficult for investigators. The steps taken by the attackers, such as killing processes, etc., also indicate that keeping this activity hidden was a priority for them.”

The research team has “not been able to definitively link Grayling to a specific geography, but the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”

Symantec identified that there are indications that Grayling may exploit public-facing infrastructure for initial access to victim machines. “Web shell deployment was observed on some victim computers prior to DLL sideloading activity taking place. DLL sideloading is used to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework,” the post added. 

The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.

The Symantec researchers provided an extensive overview encompassing the tactics, techniques, and procedures (TTPs) employed by the attackers. This included the utilization of tools such as Havoc, Cobalt Strike, NetSpy, the exploitation of CVE-2019-0803, Active Directory discovery, Mimikatz, process termination, downloaders, and the deployment of an unidentified payload.

Addressing Havoc, Symantec said that it is an open-source post-exploitation command-and-control framework that attackers began using towards the start of 2023, seemingly as an alternative to Cobalt Strike and similar tools. Havoc can carry out a variety of activities including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode. Havoc is also notable for being cross-platform. 

On Cobalt Strike, the Symantec post identified it as an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes and upload and download files. It ostensibly has legitimate uses as a penetration-testing tool but is invariably exploited by malicious actors.

The post also included NetSpy, a publicly available spyware tool; exploitation of CVE-2019-0803 that covers an elevation of privilege vulnerability that exists in Windows when the Win32k component fails to properly handle objects in memory; Active Directory discovery used to query Active Directory and help map the network; and Mimikatz, a publicly available credential-dumping tool. It also covered kill processes, downloaders; and unknown payload downloaded from imfsb[dot]ini.

Additionally, the researchers detailed that the typical attack chain in this activity appears to be DLL sideloading through exported API SbieDll_Hook. “This leads to the loading of various tools, including a Cobalt Strike Stager that leads to Cobalt Strike Beacon, the Havoc framework, and NetSpy. The attackers were also seen loading and decrypting an unknown payload from imfsb[dot]ini. An exploit for CVE-2019-0803 was also used in the course of this activity, while shellcode was also downloaded and executed,” they added.

Other post-exploitation activity performed by these attackers includes using kill processes to kill all processes listed in a file called processlist[dot]txt, and downloading the publicly available credential-dumping tool Mimikatz.

Last month, the Symantec Threat Hunter Team released details of Budworm APT group’s tactics deploying an updated custom tool that strikes government and telecom organizations. The researchers said that the previously unseen version of SysUpdate was used in the August campaign.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.