New Threat Actor “Grayling” Blamed For Espionage Campaign

Written by

Security researchers have shared evidence of a new APT group that targeted mainly Taiwanese organizations in a cyber-espionage campaign lasting at least four months.

Dubbed “Grayling” by Symantec, the group’s activity began in February 2023 and continued until at least May 2023, stealing sensitive information from manufacturing, IT and biomedical firms in Taiwan, as well as victims in the US, Vietnam and Pacific Islands.

The group deployed DLL sideloading through exported API “SbieDll_Hook” in order to load tools such as a Cobalt Strike Stager, that led to popular post-exploitation tool Cobalt Strike Beacon. It also installed “Havoc” – an open-source, post-exploitation command-and-control (C2) framework used in a similar way to Cobalt Strike.

Grayling used publicly available spyware tool NetSpy, exploited legacy Windows elevation of privileges bug CVE-2019-0803, and downloaded and executed shellcode, the report noted.

Read more on APT activity: Barracuda Zero-Day Exploited by Chinese Actor

“Other post-exploitation activity performed by these attackers includes using kill processes to kill all processes listed in a file called processlist.txt, and downloading the publicly available credential-dumping tool Mimikatz,” explained Symantec.

“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering.”

The security vendor said that Grayling’s modus operandi was fairly typical of APT groups today, in blending custom and publicly available tools; the latter to help it stay under the radar. Havoc and Cobalt Strike are particularly useful, and popular, in featuring a wide range of post-exploitation capabilities.

“It is often easier for even skilled attackers to use existing tools like this than to develop custom tools of their own with similar capabilities,” Symantec continued.

“The use of publicly available tools can also make attribution of activity more difficult for investigators. The steps taken by the attackers, such as killing processes etc., also indicate that keeping this activity hidden was a priority for them.”

Although the vendor stopped short of naming a potential nation state, it’s clear that the targets sought out by Grayling align with Beijing’s geopolitical interests.

What’s hot on Infosecurity Magazine?