China-based hackers take an interest in Cambodia's elections

Group named 'TEMP.Periscope' releasing RATs says FireEye


A US-based security researcher has accused China of interfering in Cambodia's forthcoming national election.

Security vendor FireEye says it has spotted a large-scale Chinese phishing, intrusion, remote access trojan (RAT), and data exfiltration operation targeting the poll.

FireEye attributed the activity to a group dubbed “TEMP.Periscope”, previously more closely associated with targeting American engineering and maritime operations.

china

FireEye hacked off at claim it hacked Chinese military's hackers

READ MORE

The FireEye post says TEMP.Periscope footprints were found on a number of election-related entities in Cambodia: various ministries including the National Election Commission; an MP for the Cambodia National Rescue Party; human rights advocates; two Cambodian diplomats in overseas posts; and multiple media outlets.

Its analysis was based on three servers it ran over with the fingerprint brush: “chemscalere[.]com and scsnewstoday[.]com operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server.”

SCANBOX is an advanced persistent threat that FireEye has seen in various campaigns since 2015.

The company believes the servers were administered from Hainan in China, and they hosted malware from two new families, DADBOD and EVILTECH, as well as “previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.

The lynchpin of this campaign was the Javascript-based AIRBREAK backdoor, which “retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services”.

The other most active tools were the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader, which sends docs to Dropbox; and a command line reconnaissance tool called MURKYTOP.

FireEye says it had seen these in previous campaigns, and it also spotted two new tools in the Cambodian operation. There's a backdoor called EVILTECH, a Javascript-based RAT; and the DADBOD credential stealer.

Attribution to China came from IP addresses logged on a server available to the company: “One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.”

The SCANBOX server suggested TEMP.Periscope was also planning future campaigns targeting individuals with an interest in US-East Asia politics, Russia, and NATO affairs.

Cambodia appears to be heading for likely single-party rule, as the main opposition party has been banned and cannot run candidates in the July 29th poll. The current regime has supported Beijing in its maritime disputes in the South China Sea, annoying neighbours by doing so. Just why China would want to mess with nation's elections given the all-but-certain outcome is anyone's guess. "To show it can" may be as good an answer as any! ®


Tech Resources

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021