A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling. Evidence shows that the campaign began in February 2023 and continued until at least May 2023.
Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S.
“This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads,” the company said in a report shared with The Hacker News. “The motivation driving this activity appears to be intelligence gathering.”
The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure, followed by the deployment of web shells for persistent access.
The attack chains then leverage DLL side-loading via SbieDll_Hook to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, alongside other tools like Mimikatz. Grayling has also been observed killing all processes listed in a file called processlist.txt.
DLL side-loading is a popular technique used by a variety of threat actors to get around security solutions and trick the Windows operating system into executing malicious code on the target endpoint.
This is often accomplished by placing a malicious DLL with the same name as a legitimate DLL used by an application in a location where it will be loaded before the actual DLL by taking advantage of the DLL search order mechanism.
“The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders,” Symantec said.
It’s worth noting that the use of DLL side-loading with respect to SbieDll_Hook and SandboxieBITS.exe was previously observed in the case of Naikon APT in attacks targeting military organizations in Southeast Asia.
Symantec told The Hacker News that it did not find any overlaps between Grayling and Naikon, but noted that “DLL side-loading is a pretty common technique for APT actors these days, particularly among actors operating out of China.”
There is no evidence to suggest that the adversary has engaged in any form of data exfiltration to date, suggesting the motives are geared more toward reconnaissance and intelligence gathering.
The use of publicly available tools is seen as an attempt to complicate attribution efforts, while process termination indicates detection evasion as a priority for staying under the radar for extended periods of time.
“The heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan,” the company added.
