EXECUTIVE SUMMARY
A China-nexus APT group, tracked as UAT-8302, has been identified targeting government entities in South America and southeastern Europe. The group's primary goal is to obtain and maintain long-term access to government and related entities worldwide, with a focus on data theft and proliferation. UAT-8302 has been linked to various other China-nexus or Chinese-speaking APTs, indicating a close operating relationship between them. The group's tooling overlaps with those used by other APT groups, all of which have been assessed as China-nexus or Chinese-speaking. UAT-8302's malware families include NetDraft, CloudSorcerer version 3, and VSHELL, which have been used in attacks against government agencies and organizations in various regions. The group's tactics include initial compromise and reconnaissance, information collection, and proliferation through the network, using custom-made malware and open-source tooling.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-nexus APT group, tracked as UAT-8302, has been identified targeting government entities in South America and southeastern Europe. The group's primary goal is to obtain and maintain long-term access to government and related entities worldwide, with a focus on data theft and proliferation. UAT-8302 has been linked to various other China-nexus or Chinese-speaking APTs, indicating a close operating relationship between them. The group's tooling overlaps with those used by other APT groups, all of which have been assessed as China-nexus or Chinese-speaking. UAT-8302's malware families include NetDraft, CloudSorcerer version 3, and VSHELL, which have been used in attacks against government agencies and organizations in various regions. The group's tactics include initial compromise and reconnaissance, information collection, and proliferation through the network, using custom-made malware and open-source tooling.[emaillocker id="1283"]
UAT-8302's attack chain involves multiple stages, from initial compromise to information collection and proliferation. The group uses a range of tools and techniques, including custom-made malware, PowerShell scripts, and open-source tooling such as Impacket and QScan. Once initial access is obtained, UAT-8302 conducts preliminary reconnaissance using red-teaming tools, and then collects information about the environment, including Active Directory information and credentials. The group also uses proxy servers to tunnel traffic outside the enterprise to infected hosts. UAT-8302's malware families, including NetDraft and CloudSorcerer version 3, have been used to deploy custom-made malware and conduct various malicious activities, including data theft and proliferation. The group's tactics and techniques are designed to evade detection and maintain persistence in the compromised environment.
UAT-8302's activities pose a significant threat to government entities and organizations in various regions, particularly in South America and southeastern Europe. The group's use of custom-made malware and open-source tooling makes it difficult to detect and recover from the attack. To defend against UAT-8302's tactics, organisations should prioritise patching and monitoring, maintain up-to-date backups, and implement robust endpoint protection. Additionally, organisations should be aware of the group's tactics and techniques and take proactive measures to prevent initial compromise and information collection.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1047 | Windows Management Instrumentation | — |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1218 | System Binary Proxy Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Credential Access | T1555.005 | Credentials from Password Stores | Password Managers |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1016 | System Network Configuration Discovery | — |
| Discovery | T1018 | Remote System Discovery | — |
| Discovery | T1046 | Network Service Discovery | — |
| Discovery | T1135 | Network Share Discovery | — |
| Discovery | T1087.002 | Account Discovery | Domain Account |
| Discovery | T1482 | Domain Trust Discovery | — |
| Discovery | T1069.002 | Permission Groups Discovery | Domain Groups |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Lateral Movement | T1021.003 | Remote Services | Distributed Component Object Model |
| Collection | T1005 | Data from Local System | — |
| Collection | T1074 | Data Staged | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1102.003 | Web Service | One-Way Communication |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1567 | Exfiltration Over Web Service | — |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]