A previously undocumented threat actor has been observed targeting the manufacturing, IT, and biomedical sectors in Taiwan as part of a cyber espionage campaign that began in February 2023 and continued until at least May 2023.
Dubbed ‘Grayling’ by the Symantec threat hunter team, the threat actor used in attacks custom malware as well as publicly available tools such as the Havoc command-and-control framework, Cobalt Strike, the NetSpy spyware, the credential-dumping tool Mimicatz and other tools. The observed campaign appears to have also hit organizations in the Pacific Islands, Vietnam and the US.
One of the most interesting aspects of the campaign is the use of a distinctive DLL sideloading technique that leverages a custom decryptor to deploy payloads.
The DLL sideloading is executed via exported API SbieDll_Hook, which results in the downloading of several tools, including a Cobalt Strike Stager that leads to Cobalt Strike Beacon, the Havoc framework, and NetSpy. The threat actor was also observed exploiting a Windows privilege escalation vulnerability (CVE-2019-0803) and loading and decrypting an unknown payload.
The attackers also used kill processes to kill all processes listed in a file called processlist.txt, and download Mimikatz.
Once gaining initial access to the victim network, the threat actor performed various actions, including escalating privileges, network scanning, and using downloaders.
The researchers said they weren’t able to attribute Grayling to a specific country, “but the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”
