A “multi-year” Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations.
Recorded Future’s Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to “Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.”
The cybersecurity firm characterized the targeting of South Korean academic institutions as in alignment with China’s broader efforts to conduct intellectual property theft and expand its influence, not to mention motivated by the country’s strategic relations with the U.S.
Social engineering attacks mounted by the adversary make use of Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which subsequently serves to deploy the Bisonal remote access trojan.
ReVBShell is configured to sleep for a specified interval via a command issued from a remote server that can edit the time period. It also uses Base64 encoding to mask the command-and-control (C2) traffic.
The use of ReVBShell has been tied to two other China-nexus clusters known as Tick and Tonto Team, with the latter attributed to an identical infection sequence by the AhnLab Security Emergency Response Center (ASEC) in April 2023.
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.
TAG-74 is said to be closely related to Tick, once again highlighting the prevalent tool sharing among Chinese threat groups.
“The observed TAG-74 campaign is indicative of the group’s long-term intelligence collection objectives against South Korean targets,” Recorded Future said.
“Given the group’s persistent focus on South Korean organizations over many years and the likely operational purview of the Northern Theater Command, the group is likely to continue to be highly active in conducting long-term intelligence-gathering on strategic targets within South Korea as well as in Japan and Russia.”