China-Aligned “Operation Tainted Love” Targets Middle East Telecom Providers

Security

A Chinese cyber-espionage actor likely connected with the “Operation Soft Cell” campaign has been targeting Middle East telecom providers since the beginning of 2023.

The new series of attacks are part of what SentinelOne researchers described as “Operation Tainted Love,” a cyber-espionage campaign exhibiting “a well-maintained, versioned credential theft capability” and a new dropper mechanism.

“The initial attack phase involves infiltrating internet-facing Microsoft Exchange servers to deploy web shells used for command execution,” wrote SentinelOne senior threat researcher Aleksandar Milenkoski in an advisory published earlier today. “Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement and data exfiltration activities.”

Milenkoski highlighted that the deployment of custom credential theft malware is the main novelty of the new campaign, which relies on malware incorporating modifications to the code of the Mimikatz post-exploitation tool.

Read more on threat actors using Mimikatz here: ShadowPad-Associated Hackers Targeted Asian Governments

A particular sample of the malware (dubbed mim221 by SentinelOne) also featured upgraded anti-detection features.

“The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth,” Milenkoski explained.

The security researcher also clarified that while links to Operation Soft Cell are evident, the team could not directly link the campaign to a specific threat actor.

“That campaign has been publicly associated with Gallium, and possible connections to APT41 have been suggested by the use of a common code signing certificate and tooling that shares code similarities. APT41 is also known to target telecommunication providers.”

Either way, Milenkoski said the threat actors behind Operation Tainted Love would likely continue upgrading their malware and targeting organizations in the Middle East.

“These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code,” he wrote. “SentinelLabs continues to monitor espionage activities and hopes that defenders will leverage the findings presented in this post to bolster their defenses.”

Products You May Like

Articles You May Like

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts
Thousands Download Malicious npm Libraries Impersonating Legitimate Tools
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware

Leave a Reply

Your email address will not be published. Required fields are marked *