A Chinese cyber-espionage actor likely connected with the “Operation Soft Cell” campaign has been targeting Middle East telecom providers since the beginning of 2023.
The new series of attacks are part of what SentinelOne researchers described as “Operation Tainted Love,” a cyber-espionage campaign exhibiting “a well-maintained, versioned credential theft capability” and a new dropper mechanism.
“The initial attack phase involves infiltrating internet-facing Microsoft Exchange servers to deploy web shells used for command execution,” wrote SentinelOne senior threat researcher Aleksandar Milenkoski in an advisory published earlier today. “Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement and data exfiltration activities.”
Milenkoski highlighted that the deployment of custom credential theft malware is the main novelty of the new campaign, which relies on malware incorporating modifications to the code of the Mimikatz post-exploitation tool.
A particular sample of the malware (dubbed mim221 by SentinelOne) also featured upgraded anti-detection features.
“The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth,” Milenkoski explained.
The security researcher also clarified that while links to Operation Soft Cell are evident, the team could not directly link the campaign to a specific threat actor.
“That campaign has been publicly associated with Gallium, and possible connections to APT41 have been suggested by the use of a common code signing certificate and tooling that shares code similarities. APT41 is also known to target telecommunication providers.”
Either way, Milenkoski said the threat actors behind Operation Tainted Love would likely continue upgrading their malware and targeting organizations in the Middle East.
“These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code,” he wrote. “SentinelLabs continues to monitor espionage activities and hopes that defenders will leverage the findings presented in this post to bolster their defenses.”