Researchers have documented a previously unknown threat actor that aligns with China’s intelligence collection interests. The group primarily targets government and telecommunications organizations from Africa, the Middle East, and Asia with the goal of maintaining long-term covert access to critical systems.
Over the past two years researchers from Palo Alto Networks have investigated separate clusters of malicious activity that have now been attributed to the same group: Phantom Taurus. Before, the company tracked these attacks under temporary names, such as CL-STA-0043, TGR-STA-0043, or Operation Diplomatic Specter.
“Our observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations,” the researchers wrote in their new report. “The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).”
Part of the group’s extensive toolset of custom-developed malware tools includes a suite of three previously undocumented backdoors for Microsoft Internet Information Services (IIS) web servers that the researchers dubbed NET-STAR. Other tools include in-memory Visual Basic script implants, a malware family called Specter that includes the TunnelSpecter DNS tunneling program and SweetSpecter remote access trojan, Agent Racoon, PlugX, Gh0st RAT, China Chopper, Mimikatz, Impacket, and many other dual-use tools and system administration utilities.
A change in tactics
Previously, Phantom Taurus focused on harvesting mailboxes of interest from Exchange servers that were compromised using known vulnerabilities such as ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473). But this year the researchers noticed that the attackers had started searching for and extracting data from SQL databases.
The group uses the Windows Management Instrumentation (WMI) tool to execute a script called mssq.bat that connects to an SQL database using the sa (system administrator) ID with a password previously obtained by the attackers. It then performs a dynamic search for specific keywords specified in the script, saving the results as a CSV file.
“The threat actor used this method to search for documents of interest and information related to specific countries such as Afghanistan and Pakistan,” the researchers said.
NET-STAR malware suite
A newly discovered addition to Phantom Taurus’ toolset this year is a set of web-based backdoors designed to interact with IIS web servers.
The main component, called IIServerCore, operates within the memory of the w3wp.exe IIS worker process and is capable of loading other fileless payloads directly into memory, executing arbitrary commands and command-line arguments.
“The initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx,” the researchers wrote. “This web shell contains an embedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the backdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of IIServerCore.”
Another component, called AssemblyExecuter V1, is designed to execute .NET assembly bytecode in memory, whereas the enhanced version, AssemblyExecuter V2, is capable of bypassing the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
“The component’s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal, at the time of writing this article,” the researchers said. “This demonstrates a technique that threat actors can use to create tools that avoid overt code, which detection systems might interpret as malicious.”
Phantom Taurus uses APT operational infrastructure associated in the past exclusively with other Chinese threat actors, such as Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by Phantom Taurus have not been observed with the other groups, suggesting this is a separate group that compartmentalizes its operations.
