Last January, security researchers detected a series of cyberattacks that have used the PortDoor backdoor malware to attack its targets, mostly focusing on government groups and law enforcement agencies in many Eastern Europe and Asian countries.
These recently emerged campaigns have been associated with a Chinese-based advance persistent threat (APT) group called TA428, which is best known for cyberespionage attacks against countries across Eastern Europe and Asia.
As the attackers get into a targeted network, they will begin several steps, including hacking into systems, until they have taken control of the entire IT infrastructure. In these attacks, the researchers highlighted the threat group’s use of the PortDoor malware, a Windows-based backdoor malware.
Some sectors identified as prime targets of the APT group include industrial plants, research institutes, ministries, design bureaus, and government agencies. These attacks were also believed to focus on cyberespionage campaigns.
One of the options for the PortDoor malware propagation includes sending spear-phishing emails toward targets, which consists of confidential information.
TA428 also exploited the critical vulnerability CVE-2017-11882 as another vector for deploying the PortDoor malware.
Once launched into a compromised machine, the malware will begin to perform steps leading to stealing computer details and other highly sensitive files that they will use for further attack operations. In the past, TA428 was also associated with attack campaigns that utilised several malware strains, including Logtu, DNSep, Cotx, and nccTrojan.
The threat group had also been observed utilising a notorious hacking utility called Ladon, which they use as they move laterally across networks of a compromised machine. The attackers could upgrade their domain privileges through this tool, allowing them to collect confidential files.
Then, all the harvested data are encrypted, enclosed in a ZIP file, and sent to the threat group’s C2 servers in different countries. A second-stage C2 server is also involved in transporting the stolen data, which the researchers found to be under a Chinese IP address.
Multiple detailed reports were already published concerning the TA428’s cyberattack campaigns. The group would not likely stop their activities anytime soon; thus, firms and organisations, especially from the targeted sectors, must be well-prepared with layers of security to defend themselves against potential threats.
