A “multi-year” Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations.
Recorded Future’s Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to “Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.”
Social engineering attacks mounted by the adversary make use of Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which subsequently serves to deploy the Bisonal remote access trojan.
The use of ReVBShell has been tied to two other China-nexus clusters known as Tick and Tonto Team, with the latter attributed to an identical infection sequence by the AhnLab Security Emergency Response Center (ASEC) in April 2023.
Bisonal is a multi-functional trojan that can harvest process and file information, execute commands and files, terminate processes, download and upload files, and delete arbitrary files on disk.
“Given the group’s persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theater Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia.”
Source: https://thehackernews.com/