2023: Chinese Cyber Espionage Hits South Korea

2023: Chinese Cyber Espionage Hits South Korea

A “multi-year” Chinese cyber espionage effort targeting South Korean academic, political, and government organizations has been noticed.

TAG-74, which is being tracked by Recorded Future’s Insikt Group, has been linked to “Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.”

The cybersecurity firm described the targeting of South Korean academic institutions as part of China’s broader efforts to undertake intellectual property theft and grow its influence, as well as driven by the country’s strategic connections with the United States.

The adversary’s social engineering attacks leverage Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which then serves to distribute the Bisonal remote access trojan.

ReVBShell is set to sleep for a given period of time using a command issued from a remote server that can change the time period. It also employs Base64 encoding to conceal command and control (C2) data.

The use of ReVBShell has been linked to two other China-linked clusters known as Tick and Tonto Team, the latter of which was linked to an identical infection sequence by the AhnLab Security Emergency Response Centre (ASEC) in April 2023.

Bisonal is a multi-purpose trojan that can collect process and file information, execute instructions and files, terminate processes, download and upload files, and erase arbitrary files from disc.

TAG-74 is reported to be related to Tick, indicating the widespread tool sharing among Chinese threat organizations.

“The observed TAG-74 campaign is indicative of the group’s long-term intelligence collection objectives against South Korean targets,” stated Recorded Future.

“Given the group’s persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theatre Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia.”

Read Related Articles :

Leave a Comment