EXECUTIVE SUMMARY
A China-linked threat actor has been observed utilizing a customized C2 framework, known as TencShell, to target global manufacturing environments. This campaign appears to be an attempt to establish a persistent foothold within the victim's network, with the ultimate goal of stealing sensitive information or disrupting operations. The attackers have been using a variety of tactics, including masquerading, reflective code loading, and command and control communication, to evade detection and maintain control over the infected systems.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-linked threat actor has been observed utilizing a customized C2 framework, known as TencShell, to target global manufacturing environments. This campaign appears to be an attempt to establish a persistent foothold within the victim's network, with the ultimate goal of stealing sensitive information or disrupting operations. The attackers have been using a variety of tactics, including masquerading, reflective code loading, and command and control communication, to evade detection and maintain control over the infected systems.[emaillocker id="1283"]
The infection chain used by the attackers involves a first-stage dropper payload, which retrieves and executes Donut shellcode from a masqueraded .woff resource. The shellcode then loads and executes the TencShell implant in memory, which provides the attackers with remote command execution, in-memory payload execution, and other post-exploitation capabilities. The attackers have also been using web-like communication patterns to blend their C2 traffic with normal application traffic, making it difficult to detect. The use of open-source tooling, such as Rshell, and customization of existing C2 frameworks, highlights the adaptable nature of modern threat actors.
The significance of this threat cannot be overstated, as the compromised endpoint can expose sensitive information and disrupt business operations. The attackers' goal is to establish a persistent presence within the victim's network, which can lead to significant financial losses, reputational damage, and loss of intellectual property. To defend against this threat, organizations should prioritize patching, monitoring, and endpoint protection, as well as maintaining robust backups and incident response plans.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1106 | Native API | — |
| Defense Evasion | T1036.008 | Masquerading | Masquerade File Type |
| Defense Evasion | T1620 | Reflective Code Loading | — |
| Privilege Escalation | T1055 | Process Injection | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1057 | Process Discovery | — |
| Discovery | T1083 | File and Directory Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1102 | Web Service | — |
| Command and Control | T1090.001 | Proxy | Internal Proxy |
| Command and Control | T1571 | Non-Standard Port | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/new-malware-framework-enables-screen-control/
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/