Article Details
Scrape Timestamp (UTC): 2023-09-26 09:50:33.158
Source: https://thehackernews.com/2023/09/chinese-hackers-tag-74-targets-south.html
Original Article Text
Click to Toggle View
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign. A "multi-year" Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations. Recorded Future's Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to "Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia." The cybersecurity firm characterized the targeting of South Korean academic institutions as in alignment with China's broader efforts to conduct intellectual property theft and expand its influence, not to mention motivated by the country's strategic relations with the U.S. Social engineering attacks mounted by the adversary make use of Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which subsequently serves to deploy the Bisonal remote access trojan. ReVBShell is configured to sleep for a specified interval via a command issued from a remote server that can edit the time period. It also uses Base64 encoding to mask the command-and-control (C2) traffic. The use of ReVBShell has been tied to two other China-nexus clusters known as Tick and Tonto Team, with the latter attributed to an identical infection sequence by the AhnLab Security Emergency Response Center (ASEC) in April 2023. Bisonal is a multi-functional trojan that can harvest process and file information, execute commands and files, terminate processes, download and upload files, and delete arbitrary files on disk. Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity. TAG-74 is said to be closely related to Tick, once again highlighting the prevalent tool sharing among Chinese threat groups. "The observed TAG-74 campaign is indicative of the group's long-term intelligence collection objectives against South Korean targets," Recorded Future said. "Given the group's persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theater Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia."
Daily Brief Summary
Chinese state-sponsored hacker group, TAG-74, has launched a multi-year cyber espionage campaign targeting South Korea's academic, political, and government organizations.
The cyberattacks are reportedly linked to Chinese military intelligence and pose a significant threat to various sectors, including academia, aerospace, defense, government, military, and politics in South Korea, Japan, and Russia.
TAG-74 has been targeting South Korean academic institutions in particular, aligning with China's broader agenda of intellectual property theft and expansion of influence.
The hackers use social engineering attacks and Microsoft Compiled HTML Help (CHM) file lures to deploy a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which is then used to install the Bisonal remote access trojan.
TAG-74 is said to be closely related to another Chinese hacking group, Tick, reflecting extensive tool sharing among Chinese threat groups.
Security firm Recorded Future expects TAG-74’s espionage activities to retain their focus on South Korea over many years, while also targeting strategic targets within Japan and Russia.