EXECUTIVE SUMMARY
A China-nexus threat actor campaign, linked to the Twill Typhoon group, has been observed targeting entities in the Asia-Pacific and Japan (APJ) region. The campaign uses a variety of tactics, including content delivery network (CDN) impersonation, legitimate binaries, and DLL sideloading, to deploy a modular .NET Remote Access Trojan (RAT) framework.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-nexus threat actor campaign, linked to the Twill Typhoon group, has been observed targeting entities in the Asia-Pacific and Japan (APJ) region. The campaign uses a variety of tactics, including content delivery network (CDN) impersonation, legitimate binaries, and DLL sideloading, to deploy a modular .NET Remote Access Trojan (RAT) framework.[emaillocker id="1283"]
The attackers appear to be using a custom TCP, DMTP protocol to communicate with their command and control (C2) servers, and have been observed using a heavily obfuscated backdoor to maintain persistence and execute remote commands. The payload is designed to be highly flexible, with the ability to load and execute plugins, including tools for creating and triggering Windows tasks, managing registry persistence, and loading and persisting the main framework.
The campaign has been observed using a range of infrastructure, including domains impersonating well-known platforms and services. Darktrace has observed multiple customer environments making HTTP GET requests to infrastructure presenting as "CDN" endpoints for well-known platforms, and has identified a consistent behavioral execution pattern, including the retrieval of legitimate binaries and configuration files alongside malicious DLLs.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://www.infosecurity-magazine.com/news/mustang-panda-fdmtp-backdoor-apj/
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor