Chinese hackers Leverage Rare Tool to Attack Governmental Entities Servers

A Chinese APT group (Advanced Persistent Threat) launched Operation Diplomatic Specter in late 2022, targeting political entities in the Middle East, Africa, and Asia, which employs a mix of automated email exfiltration and manual intrusion to gather intel on politicians, military operations, and foreign affairs. 

Their targets include entire email archives of embassies and ministries, focusing on China-related affairs, energy, military details (operations, personnel, equipment), and the targeted countries’ relationship with the US, which seeks geopolitical and economic information for potential Chinese state benefit. 

Example of embassies’ email boxes targeted by the threat actor.

Palo Alto Networks Unit 42 has been tracking a cyberespionage campaign targeting governments in the Middle East, Africa, and Asia since late 2022, which dubbed Operation Diplomatic Specter, is believed to be carried out by a Chinese state-aligned APT group. 

Example of embassies’ email boxes targeted by the threat actor.

The attackers use rare tactics and techniques, including novel malware strains SweetSpecter and TunnelSpecter, to gain persistence on compromised systems. 

They observed the actor’s evolution over a year and assigned it a temporary actor group designation (TGR-STA-0043) based on the collected evidence suggesting a single actor behind the attacks.  

The attackers used two custom-built backdoors, TunnelSpecter and SweetSpecter, to maintain stealthy access to their targets’ networks, which allowed the attackers to execute arbitrary commands, steal data, and deploy additional malware on the infected machines. 

The analysis suggests that these backdoors borrowed code from the leaked Gh0st RAT source code but differed from other known Gh0st RAT variants. TunnelSpecter specifically utilizes DNS tunneling functionality. 

The Gh0st RAT sample and Specter malware family used in Operation Diplomatic Specter

TunnelSpecter and SweetSpecter are backdoors that share some code with the Gh0st RAT, while TunnelSpecter uses DNS tunneling for stealthy data exfiltration and stores configuration data in an uncommon registry key. 

SweetSpecter communicates with the command and control server using encrypted packets over TCP and stores configuration data in unique registry keys, and the presence of Gh0st RAT and the use of the same infrastructure strongly suggest a link between these backdoors and Gh0st RAT. 

 Game Over Good Luck By Wind mentioned in Operation Iron Tiger.

According to Palo Alto Networks, threat actors attempted to maintain access to compromised systems during Operation Diplomatic Specter by deploying a Gh0st RAT variant. 

A large file (Tpwinprn.dll) dropped by a web shell and launched through a renamed rundll32.exe process contained the Gh0st RAT variant, as this variant was identified by a unique string in memory (“Game Over Good Luck By Wind”), which was also present in a Gh0st RAT variant used in APT27’s Operation Iron Tiger in 2015. 

Analysis points to a strong Chinese connection behind Operation Diplomatic Specter, where the attackers used shared infrastructure known to be frequented by Chinese APTs like APT27. 

The activity times align with China’s standard working hours (UTC+8), as tools deployed included Mandarin comments, custom Gh0st RAT, PlugX, and China Chopper, all favored by Chinese actors. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here