##### CYBER THREAT ANALYSIS **CHINA** By Insikt Group® September 19, 2023 # Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and ----- ## Executive Summary Recorded Future’s Insikt Group analyzed a multi-year, Chinese state-sponsored cyber-espionage campaign predominantly targeting South Korean academic, political, and government organizations. This campaign, which we are tracking under the temporary group designator TAG-74, has been publicly1 linked to Chinese military intelligence and likely primarily poses a threat to academic, aerospace and defense, government, military, and political organizations within South Korea, Japan, and Russia. This assessment is based on the historical targeting pattern of this threat activity group and the typical area of responsibility of People’s Liberation Army (PLA) Northern Theater Command-aligned threat actors. In this campaign, we observed a particular focus on the targeting of South Korean academic entities. The targeting of academia more generally fits within wider Chinese espionage efforts that serve multiple purposes, including intellectual property (IP) theft and expanding Chinese Communist Party (CCP) soft power and influence within higher education internationally. Business leaders in companies engaging closely with academia in countries of strategic interest to Chinese intelligence services should consider the business risks of both potential IP loss and academic institutions’ vulnerability to foreign state influence that could lead to reputational damage through association. More widely, intelligence collection within South Korea from Chinese state-sponsored actors is likely driven by both regional proximity as well as the country’s strategic role in China's competition with the United States (US) and other regional allies within the Indo-Pacific region. In recent months, Chinese officials have been [increasingly outspoken](https://www.cnn.com/2023/07/04/china/wang-yi-china-japan-south-korea-intl-hnk/index.html) on South Korea’s perceived movement toward closer relations with the US. Of particular note, in May 2023, a South Korean news outlet [cited](https://english.hani.co.kr/arti/english_edition/e_international/1094072.html) anonymous [“senior diplomatic officials” to report that China threatened to withhold cooperation with Seoul on North](https://english.hani.co.kr/arti/english_edition/e_international/1094074.html) Korea and other issues if South Korea continues crossing “red lines” related to South Korea “meddling with Taiwan” or supporting “the US and Japan’s containment of China”. Notably, multiple observed TAG-74 decoy documents and spoofed domains specifically related to inter-Korean cooperation and reunification. These highlighted geopolitical tensions are likely to drive increased intelligence collection efforts from Chinese state-sponsored threat activity groups such as TAG-74 against South Korean public and private sector entities. This intelligence could be used to define Chinese diplomatic or business engagement with South Korean entities, especially when foreign policy doesn't align with Chinese strategic objectives. ## Key Findings - TAG-74 is a Chinese state-sponsored threat activity group traditionally tasked with intelligence collection against organizations within South Korea, Japan, and Russia. In the activity highlighted [1 TAG-74 overlaps with reported activity under the aliases Tonto Team, COPPER, CactusPete, Earth Akhlut, Karma Panda, and Bronze Huntley (1,](https://blog.talosintelligence.com/bisonal-10-years-of-play/) [2), a group publicly linked to the People’s Liberation Army Strategic Support Force (PLASSF) former Shenyang Military Region Technical](https://vb2020.vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf) [Reconnaissance Bureau (now part of the Northern Theater Command) (1, 2).](https://web.archive.org/web/20220706211644/https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf) Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Threat Analysis Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Compiled HTML (.chm) files likely distributed via spearphishing. These .chm files consist of 3 primary components: 1. An embedded legitimate executable that is vulnerable to DLL search order hijacking. Observed executables used include the filenames vias.exe, LBTWiz32.exe, ``` PresentationSettings.exe, and ImagingDevices.exe. ``` 2. A malicious DLL loaded via the accompanying legitimate executable via DLL search order hijacking. 3. A HTML file that is used to: - display a decoy document to the user - execute a script to decompile the contents of the .chm file via the native Windows HTML Help executable program (hh.exe) - execute the legitimate executable vulnerable to DLL search order hijacking, either directly or via the RUN registry key **Figure 2: Example TAG-74 HTML file containing script to decompile .chm file and execute vias.exe (Source: Recorded Future)** The HTML file, as shown in Figure 2, includes a bitmap shortcut object which, when clicked, executes the native HTML Help Windows binary hh.exe to decompile the .chm file and a second shortcut which executes the legitimate executable vias.exe contained within the .chm. An embedded script then uses the native HTML click() method to simulate a mouse-click on the first object, which executes the first shortcut, waits 2 seconds, and then repeats this for the second object to trigger the DLL search order hijacking chain. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- inter-Korean cooperation and reunification as well as specific academic institutions, indicating a likely particular interest in these areas from TAG-74 actors. |IP Address|ASN|First Seen|Last Seen| |---|---|---|---| |45.133.194[.]135|AS206804 (EstNOC OY)|March 27, 2023|April 6, 2023| |92.38.135[.]92|AS202422 (G-Core Labs)|February 8, 2023|May 15, 2023| |141.164.60[.]28|AS20473 (AS-CHOOPA)|October 13, 2023|April 17, 2023| |158.247.223[.]50|AS20473 (AS-CHOOPA)|March 13, 2023|June 7, 2023| |158.247.234[.]163|AS20473 (AS-CHOOPA)|November 4, 2023|June 7, 2023| **Table 1: IP addresses observed in use by TAG-74 during 2023 (Source: Recorded Future)** |Likely Spoofed Entity|Industry|Spoof Domain(s)| |---|---|---| |Daum|IT|attachdaum.servecounterstrike[.]com attachmaildaum.servecounterstrike[.]com attachmaildaum.serveblog[.]net logindaums.ddnsking[.]com loginsdaum.viewdns[.]net| |bizmeka[.]com|IT|bizmeka.viewdns[.]net| |Hamonsoft|IT|hamonsoft.serveblog[.]net| |Hanseo University|Academic|hanseo1.hopto[.]org| |hometax[.]go[.]kr|Government|hometax.onthewifi[.]com| |Mail Plug|IT|mailplug.ddnsking[.]com| |Democratic Party of Korea|Political|minjoo2.servehttp[.]com| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |National Election Commission|Government|necgo.serveblog[.]net| |---|---|---| |Pixoneer Geomatics ((주)픽소니어)|IT|pixoneer.myvnc[.]com| |Peaceful Unification Advisory Council|Government|puacgo1.servemp3[.]com| |Satrec Initiative|Aerospace|satreci.bounceme[.]net| |Sejong University|Academic|sejonglog.hopto[.]org| |National Institute for Unification Education|Academic|unipedu.servebeer[.]com| **Table 2: Selection of TAG-74 DDNS domains likely spoofing specific South Korean entities (Source: Recorded Future)** #### Use of Open-Source ReVBShell Backdoor for Initial Access As noted, TAG-74 has employed a slightly modified version of the open-source ReVBShell backdoor. Modifications include additional functions responsible for: - Base64-encoding C2 traffic - Execution guardrails which, if ESET antivirus is detected on the infected host, set the C2 server IP address 0.0.0[.]0 and the malware is exited - Additional commands or functions for code execution, changing the sleep interval, self-deletion, and enumeration via WMI command-line (WMIC) ReVBShell is configured to sleep for a specified interval (the default is 5 seconds) following a NOOP response from the C2 server. In most cases, this sleep time is changed from the default 5 seconds to 5 minutes in observed TAG-74 activity. The TAG-74 variant also contains additional functionality to edit this sleep interval via a C2 command. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 4: Additional functions present in customized ReVBShell version responsible for Base64 encoding and decoding data** (Source: Recorded Future) #### Continued Usage of Flagship Malware Bisonal for Follow-on Activity Insikt Group observed multiple Bisonal samples communicating with C2 infrastructure attributed to TAG-74 (see Table 3). Bisonal is likely intended to be used as a follow-on malware family loaded after initial access is established due to the additional functionality beyond the lightweight ReVBShell. Bisonal is a long-running, custom backdoor exclusive to Chinese state-sponsored threat activity that has been [used in targeted intrusion activity primarily in Japan, South Korea, and Russia since at least 2010 (1,](https://blog.talosintelligence.com/bisonal-10-years-of-play/) [2,](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf) [3, 4).](https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf) |SHA256 Hash|Filename|C2| |---|---|---| |11cd4b64dcac3195c01ffc937ae1eb77aa2f 98d560a75347036d54a1cf69a5fd|SearchFilterHost.exe|formsgle.freedynamicdns[.]net| |01e5ebc2c096d465800660a0ad6d62208 a5b2b675e3700f3734fac225b1d38bd|-|satreci.bounceme[.]net| |a88ca28b0948e810d4eb519db7b72a40cf e7907ce4c6a881a192880278f3c8b5|msfltr32.exe|hanseo1.hopto[.]org| |89f250599e09f8631040e73cd9ea5e515d 87e3d1d989f484686893becec1a9bc|-|sarang.serveminecraft[.]net| |0ea0b19c562d20c6ac89a1f2db06eedcb1 47cde2281e79bb0497cef62094b514|MySnake.EXE|sarang.serveminecraft[.]net| **Table 3: TAG-74 Bisonal samples first observed in 2022 (Source: Recorded Future)** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Insikt Group conducted a comparative analysis of the payload loaded by the sample ``` 11cd4b64dcac3195c01ffc937ae1eb77aa2f98d560a75347036d54a1cf69a5fd listed in Table 3, ``` and identified close similarities with a variant of Bisonal [reported by NTT Security in 2020. The sample](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf) we analyzed had the following commands, which closely align with the variant analyzed by NTT [Security (page 27):](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf#page=27) - Change prefix of sending data (unknown and unknown2 fields inside the payload struct in Figure **6)** - Send process information - Send drive list - Send file information - Process termination - Execute command - File download - File upload - Delete file - Recreate socket - Sending socket objects - File execution The sample analyzed by Insikt Group also uses the same string decryption algorithm and reuses the ``` 1213 key highlighted within the NTT Security Bisonal research (page 28). Additionally, the magic bytes 0A 1B 2C 3D referenced in the NTT Security analysis on one of the Bisonal variants’ C2 ``` [communications (page 64) matched both of the analyzed samples.](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf#page=64) The second sample in Table 3 (01e5ebc2c096d465800660a0ad6d62208a5b2b675e3700f3734fac225b1d38bd), is packed using VMProtect and loads a Bisonal payload very similar to the first. Example C2 communications for this sample are shown in Figure 5 — this includes the magic bytes 0A 1B 2C 3D alongside basic victim information such as computer name, user name, operating system IP address, and a campaign/target code, as also shown in Figure 6. This communication structure matches that of the first sample. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- The payloads loaded by the other 3 samples in Table 3 all contain the [characteristic marker string](https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/) ``` bisonal, which was not present in the other 2 analyzed samples. The presence of this marker string ``` [appears to vary based on the variant of Bisonal in use, which has evolved](https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/) significantly over the past decade. ## Mitigations Users should conduct the following measures to detect and mitigate activity associated with TAG-74 activity: - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and, upon review, consider blocking connection attempts to and from — the external IP addresses and domains linked in Appendix A. - Organizations should consider blocking .chm and other low-legitimate-use file attachments at email gateways and through application deny lists where possible, given the propensity of abuse and low prevalence of legitimate use in most environments. - Recorded Future proactively detects and logs malicious server configurations in the Command and Control Security Control Feed. The Command and Control list includes both open-source and customized tools used by Chinese state-sponsored threat activity groups, such as ReVBShell. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions. - Since multiple state-sponsored and financially motivated threat activity groups continue to use DDNS domains in network intrusion activity, all TCP/UDP network traffic involving DDNS subdomains should be blocked and logged (using [DNS RPZ](https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00) or similar). - Monitor for domain abuse, such as typosquat domains spoofing your organization, through the Recorded Future Brand Intelligence [module.](https://www.recordedfuture.com/license-options/) ## Outlook The observed TAG-74 campaign is indicative of the group’s long-term intelligence collection objectives against South Korean targets. Given the group’s persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theater Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia. The use of .chm files by Chinese state-sponsored actors is not particularly common outside of South Korea but has been seen both in TAG-74 campaigns and in activity attributed to North Korean state-sponsored threat activity groups, such as Kimsuky and APT37, in activity targeting South Korea [(1, 2). Network defenders should consider monitoring for the presence and use of .chm files, especially](https://asec.ahnlab.com/jp/53039/) if they are not typically used within their environment. Generally, the use of more unusual file types for [initial access, such as .chm, has increased in prevalence following a shift away from macro usage by](https://www.proofpoint.com/sites/default/files/misc/pfpt-us-threat-research-2023-05-12-cybercrime-experimentation.pdf) threat actors throughout 2022 and 2023. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix A — Indicators of Compromise Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix B — Mitre ATT&CK Techniques |Tactic: Technique|ATT&CK Code| |---|---| |Initial Access - Spearphishing Attachment|T1566.001| |Execution - Command and Scripting Interpreter: Visual Basic|T1059.005| |Execution - User Execution: Malicious File|T1204.002| |Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|T1547.001| |Defense Evasion - Hijack Execution Flow: DLL Search Order Hijacking|T1574.001| |Defense Evasion - System Binary Proxy Execution: Compiled HTML File|T1218.001| |Defense Evasion - Execution Guardrails|T1480| |Discovery - Software Discovery: Security Software Discovery|T1518.001| |Command and Control - Data Encoding: Standard Encoding|T1132.001| |Command and Control - Application Layer Protocol: Web Protocols|T1071.001| |Command and Control - Encrypted Channel: Symmetric Cryptography|T1573.001| |Exfiltration - Exfiltration Over C2 Channel|T1041| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix C — Diamond Model of Intrusion Analysis Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- About Insikt Group[®] Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for clients, enables tangible outcomes, and prevents business disruption. About Recorded Future Recorded Future is the world’s largest threat intelligence company. Recorded Future’s Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased and actionable intelligence. Learn [more at recordedfuture.com.](http://www.recordedfuture.com/) Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group -----