Since the end of 2022, we’ve been tracking a series of highly targeted espionage intrusions aimed at governmental entities across the Middle East, Africa, and Asia. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, geopolitical events, military activities, and ministries of foreign affairs.
What was particularly interesting about these incidents and sets it apart from other known threat actors, is the very rare set of tactics, techniques, and procedures (TTPs) seen in the attacks. Some of the TTPs were never reported before in the wild, such as a novel and evasive in-memory webshell implant and custom-built family of backdoors. Other rare techniques that we observed included a novel Exchange email exfiltration technique that was used by the attackers only on a few selected targets, and a credential stealing technique that was rarely seen in the wild.
In our presentation, we will explore the TTPs employed by the sophisticated threat actor throughout each phase of the attack life cycle and share some exclusive information that has not been published yet about the attackers’ playbook. After understanding how this threat actor operates, what exactly they were looking for, and how to hunt them down, we will delve into the attribution process, establish the connection to the Chinese Nexus, and reveal how we discover a new threat actor.