Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks
The recent ethnic rebel attacks in Myanmar have put the Myanmar junta and surrounding countries on high alert. Since October 2023, a rebel alliance called the Three Brotherhood Alliance (3BHA) has been attacking Myanmar’s military across its northern regions, reportedly seizing its junta outposts and military positions. This activity has been cause of concern to China, as important trade routes have come under control of and have been destroyed by 3BHA, causing China to call for a ceasefire. Following the attacks, a meeting of Myanmar’s National Defence and Security Council (NSDC) on November 8th resulted in the junta leader General Min Aung Hlaing commenting that the country could splinter as a result of the 3BHA offensive. Five days later, martial law was declared across the northern Shan state. While these events do not seem to receive much international attention, the Association of Southeast Asian Nations (ASEAN) defense ministers have been calling for Myanmar to implement the in 2021 established Five-Point Consensus peace plan. So far, Myanmar’s military junta has failed to implement this plan, leading to Myanmar being barred from ASEAN until the plan progresses.
As these developments unfold, CSIRT-CTI has identified two campaigns exhibiting strong indications of being connected to Stately Taurus (alias Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, Red Delta and Luminous Moth), both assessed to have targeted the Myanmar Ministry of Defence and Foreign Affairs. Both campaigns strongly appear to leverage techniques, tactics and procedures (TTPs) that are related to both historic and more contemporary Stately Taurus activity. The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious Dynamic-Link Libraries (DLLs). Moreover, a significant number of campaigns attributed to this threat actor have been reported to disguise network traffic by making it appear to be related to Microsoft update traffic.
Stately Taurus has been performing cyberespionage activities since at least 2012 and is widely believed to be a Chinese Advanced Persistent Threat (APT) tasked with intelligence collection. Previously, attacks targeting government entities and non-profits across North America, Europe and Asia believed to have politically significant information were attributed to this group.
Campaign #1: Analysis of the third meeting of NDSC.zip
The first campaign observed took place on November 9th 2023 and came under our attention after a malicious archive was submitted to VirusTotal with the name Analysis of the third meeting of NDSC.zip. Upon extracting this archive, victims are shown the image in Figure 1 containing a (legitimate, signed) decoy executable and a malicious DLL in the same folder.
IOC | Value |
Analysis of the third meeting of NDSC.zip | b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18 |
Analysis of the third meeting of NDSC.exe | ce4f7e7ce82a5621b5409ccb633e27269a05ce17d1b049feda9fbc4793e6c484 |
BrMod104.dll | 2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87 |
The executable in this archive is, as mentioned, a legitimate binary originally signed by B&R Industrial Automation GmbH, which points towards engineering firm Bernecker & Rainer. Though the provided certificate expired on May 23rd 2020, it is still considered signed and valid by both Windows and VirusTotal.
Upon execution of the decoy binary, the threat actor leverages DLL Search Order Hijacking to side-load the malicious DLL with a timestamp of 03-11-2023 (shown in Figure 3). After loading the DLL, its first activity is to check for supported languages on the system, after which it performs a check whether persistence has previously been obtained. It does so by determining the presence of command line arguments. If a command line argument is not present, it proceeds by copying itself and the DLL to C:\ProgramData\gameinstall
. Once copied, a standard CurrentVersion autorun key is created with the name gameestrto and value C:\\ProgramData\\gameinstall\\Analysis of the third meeting of NDSC.exe starmygame
.
\REGISTRY\USER\S-1-5-21-578104441-166916572-4098306029-1000\Software\Microsoft\Windows\CurrentVersion\Run\gameestrto = "C:\\ProgramData\\gameinstall\\Analysis of the third meeting of NDSC.exe starmygame"
This particular command line argument starmygame added to the autorun key is indicative of earlier-achieved persistence, as the malware creates the autorun key to run future executions with this argument. This causing the execution flow to skip over the conditional on address 0x100027ba
as shown in Figure 4. Further down the function, any present command line arguments are validated to match the originally set value, which triggers further cryptographic operations leading to C2 communication.
Following the achievement of persistence, preparation is made to ping a C2 server at 123.253.32.15
and register the device. Similar to the campaign described by Lab52, it uses a standard protocol to do so. However, where previously the magic bytes were 17 03 03
, these seem to have changed to 46 77 4d
. These magic bytes are consistent throughout the requests and responses. This leads to the following protocol: <46 77 4d>+<payload size>+<payload>
.
This standard is used for all communication, even after infection. For the initial connection, the payload is also the similar: <tickcount>+<computername>+<username>.
This payload is RC4-encrypted and sent to the C2 server as shown in Figure 6. The threat actors attempt to disguise the traffic as Microsoft update traffic by adding the Host: www.asia.microsoft.com
and User-Agent: Windows-Update-Agent
headers.
The response of the C2 server to this initial connection is a piece of shellcode that is publicly documented as PUBLOAD. This shellcode, which is also RC4 encrypted, is downloaded as a DAT file and is decrypted to the second stage malware, which is a PlugX implant. Following the Lab52 research, it could be confirmed that the same type of protocol scheme is used for continued communication with the C2 server in this case. This sample too no longer impersonates www.asia.microsoft.com
, but switches to www.download.windowsupdate.com
the moment it starts taking commands.
IOC | Value |
C2 IP address | 123.253.32.15 |
Spoofed Host Header | Host: www.asia.microsoft.com |
Spoofed Host Header | www.download.windowsupdate.com |
User Agent | Windows-Update-Agent |
Autorun key | gameestrto |
CLI argument | starmygame |
Campaign #2: ASEAN Notes.iso
The second campaign was observed after being uploaded from the US and Myanmar to VirusTotal on January 17th, 2024. In the timeline surrounding the conflict in Myanmar, this is coherent with Myanmar’s junta leader meeting with a special envoy of ASEAN on January 11th in context of the violence in Myanmar. The malware sample involves an Optical Disc Image (ISO) containing LNK shortcuts, extended with a similar but slightly deviating methodology as described in campaign #1. This too matches previously documented Stately Taurus TTPs aiming at deploying a PlugX implant through multiple stages, though the delivery matches the TONESHELL malware as documented by TrendMicro.
When opening the ISO file, the victim is shown a set of LNK files and a folder structure with multiple layers named _. In addition to the ASEAN 2024.lnk file, the Mofa memo.lnk file potentially refers to the Myanmar Ministry of Foreign Affairs (MOFA), as it aligns with the narrative and is indicative of context. All LNK files (parsed with LnkParse3) are programmed to display a PDF icon to trick the user and start the office.exe binary in the directory structure below. This binary is again legitimate and signed by Microsoft. The hash of this file shows up on VirusTotal as GetCurrentRollback.exe, which is typically present in the Windows 10 Upgrade assistant. After this binary is executed, the same type of DLL side-load is performed as in the first campaign with a DLL-file called GetCurrentDeploy.dll.
This campaign proceeds identical to the TrendMicro analysis and attempts to register the device with C2. The report mentions that TONESHELL supports up to ten C2 addresses and seems to contain two IP addresses in this case (103.159.132.80
and 37.120.222.19
). The former is present in the same subnet as is documented by CheckPoint and the latter is resolved from a hardcoded domain name in the binary, openservername.com
. Remarkable is that this domain only resolves when a subdomain of www is added.
Upon execution of one of the LNK files, similar steps are taken as in campaign one. It executes the office.exe binary down in the _ directory structure and side-loads GetCurrentDeploy.dll. By doing so, it triggers the same functionality as campaign #1, verifying command line arguments and copying both files to a different directory. The only difference, which is characterising for TONESHELL, is that these copies are dropped in %PUBLIC%
instead of C:\ProgramData\gameinstall
.
At the time of writing, the C2 servers that the malware attempts to communicate with seem unresponsive. Further staging of the PlugX implant beyond findings in the binary using this sample can therefore not be verified.
IOC | Value |
ASEAN Notes.iso | a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c |
ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk | e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767 |
office.exe | 0d0981941cf9f1021b07b7578c45ed4c623edb16ad03a256c4cd9aaf900d723d |
GetCurrentDeploy.dll | 51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7 |
C2 IP address | 103.159.132.80 |
C2 IP address | 37.120.222.19 |
C2 Domain | openservername.com |
Autorun key | gameestrto |
CLI argument | StarWegameToyOU |
Linking the Two Campaigns
Though the malware staging of the second campaign could not be investigated, the found similarities between the first and second campaign are strong enough in order to relate the two with high confidence. Multiple indicators have been found that can attribute these attacks to Stately Taurus. Adding strength to the attribution is the ongoing controversy in Myanmar and its importance to China, which these samples seem to play into. Overall, the following similarities between the two campaigns were found.
Tactics, Techniques and Procedures
The malware samples itself were, even though different on the outside, very similar in TTPs. Both samples, one PUBLOAD and the other TONESHELL and both containing the publicly documented indicators, leveraged DLL Search Order hijacking in legitimate software to launch a stager in an attempt to download the second stage malware. Though the C2 traffic of the second campaign could not be verified, the present cryptographic functions imply that the binary was prepared for decryption. Furthermore, both samples created an autorun key with the same naming scheme (gameestrto) and persistence control mechanism by adding command line arguments to the autorun key (starmygame, StarWegameToyOU). Lastly, the binary code checking for these command line arguments are shared code and near-identical, also containing the same typing errors (erro task, erro blue). A notable additional detail in BrMod104.dll is a debug string referring to a Program Database (PDB) file at E:\work\newply\Release\new4chongf.pdb
. All details considered and given the timeline of occurrence it is probable that these samples might be related and, looking at intelligence publications that classify the observed behaviour as belonging to Stately Taurus-related malware families, are used in a Stately Taurus campaign.
Infrastructure
When investigating the two C2 servers on Censys, different certificates are registered for the two hosts. However, the same Common Name with value WIN-9JJA076EVSS
was used for both hosts. Moreover, both IP addresses are on Autonomous System 55720 (GIGABIT-MY Gigabit Hosting Sdn Bhd in Kuala Lumpur, Malaysia). Both this Common Name and AS number have been extensively documented in relation to this threat group. Of these publications, a publication by Thailand Telecommunications Sector CERT (TTC-CERT) on January 19th 2024 actually describes this Common Name as a common denominator for Stately Taurus C2 infrastructure in response to the SolidPDFCreator campaign against the Philippines that was documented by Talos Intelligence in November 2023.
Conclusion
Following the rebel attacks in northern Myanmar, China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border. Myanmar’s military junta has had two meetings with the National Defence and Security Council and with ASEAN to discuss further plans. We assess that these campaigns are targeted at the Myanmar Ministry of Defence and Foreign Affairs, aligning with the developments in the country.
Due to the historic reporting of the observed Tactics, Techniques and Procedures and their similarity, it is highly likely that these attacks can be attributed to Stately Taurus, one of the most active Chinese APT groups. Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past. As this group targets not only Asian, but also European and North American countries, it is advised to deploy countermeasures in order to defend against this group.
Indicators of Compromise
IOC | Value |
Analysis of the third meeting of NDSC.zip | b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18 |
Analysis of the third meeting of NDSC.exe | ce4f7e7ce82a5621b5409ccb633e27269a05ce17d1b049feda9fbc4793e6c484 |
BrMod104.dll | 2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87 |
ASEAN Notes.iso | a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c |
office.exe | 0d0981941cf9f1021b07b7578c45ed4c623edb16ad03a256c4cd9aaf900d723d |
GetCurrentDeploy.dll | 51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7 |
ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk | e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767 |
C2 IP address | 123.253.32.15 |
C2 IP address | 103.159.132.80 |
C2 IP address | 37.120.222.19 |
C2 Domain | openservername.com |
Certificate CN | WIN-9JJA076EVSS |
Autorun key | gameestrto |
CLI argument | starmygame |
CLI argument | StarWegameToyOU |