Stealth Techniques Used to Infect High-Level Organizations in Southeast Asia

Breaking News: Stealth Techniques Target High-Level Organizations in Southeast Asia

An ongoing campaign in southeast Asia is utilizing two stealth techniques, “GrimResource” and “AppDomainManager Injection,” to infect high-level organizations in the region. These techniques are being used by an attacker with similarities to China’s APT41 and have been found to target government agencies in Taiwan, the Philippine military, and energy organizations in Vietnam.

“GrimResource” allows attackers to execute arbitrary code in the Microsoft Management Console (MMC), while “AppDomainManager Injection” uses malicious dynamic link libraries (DLLs) in a way that is easier than traditional sideloading. Despite being around for seven years, this technique is rarely seen in malicious campaigns in the wild.

The attackers are dropping Cobalt Strike malware onto IT systems using these stealth techniques. The “GrimResource” technique starts with a ZIP file containing a file disguised as a Windows certificate or PDF icon, which is actually a management saved console (MSC) file that exploits vulnerabilities in MMC.

On the other hand, “AppDomainManager Injection” involves injecting malicious code into Microsoft’s .NET framework to trick applications into running the attacker’s code instead of legitimate software. This technique is easier than traditional DLL side-loading and poses challenges for detection.

Security experts recommend implementing strong email hygiene practices and blocking the execution of payloads to prevent such attacks. The use of advanced stealth techniques highlights the evolving tactics of threat actors targeting high-profile organizations in the region.