ChamelGang Attacks Targeting Global Infrastructure Sectors
As per recent media reports, threat actors that are linked to China and North Korea have been discovered targeting government and critical infrastructure sectors worldwide. A prominent highlight among them are the ChamelGang attacks. These CamoFei ransomware attacks span from 2021 to 2023 and were aimed at the All India Institute of Medical Science (AIIMS), the Presidency of Brazil, and other government entities in East Asia.
In this article, we’ll learn about the attack tactics that were used and how these attempts were carried out.
ChamelGang Attacks Decoded
During 2021 and 2023, cyber attacks on government and other vital infrastructure sectors were on the rise worldwide. Cybersecurity firms, Sentinel One and Recorded Future, were provided with a detailed analysis of these attacks. These firms have linked the behavioral attributes of these cybercrimes to the ChamelGang attacks.
Apart from this threat actor group, certain actions prevalent during these attacks have been linked to state-sponsored groups in China and North Korea. It was identified that both ransomware and data encryption techniques were used during these attacks.
Commenting on the use of ransomware, security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele have said that:
“Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence.”
Effectiveness Of Using Ransomware Attacks
Ransomware attacks, in this context, are effective since they allow threat actors to meet their monetary objectives and those of causing disruptions. However, ransomware attacks also allow threat actors to erase evidence that can later be used for identification and would alert defenders. Reports claim that, in the case of the ChamGang attacks, known motivations of the group include intelligence gathering, financial gain, data theft, and denial-of-service (DOS) attacks.
ChamelGang Attack Arsenal
This threat actor group is known to possess a wide range of tools in their arsenal. Common examples of such tools include BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe. In addition, the group also uses a common ransomware strain known as CatB.
The use of this ransomware strain was evident in attacks in which the group targeted Brazil and India. The prevalence was made evident by the format of the contact email, the filename extension of encrypted files, and the crypto wallet address.
Cyber attacks that were observed in 2023 were found to have leveraged an updated version of the BeaconLoader. It was used to deliver Cobalt Strike for ensuring reconnaissance and post exploitation activities that include tooling and exfiltrating NTDS.dit database file.
It’s also worth mentioning here that custom malware was also used during the ChamelGang attacks. Both DoorMe and MDDrive were linked to other Chinese threat groups such as REF2924 and Storm Cloud. Other aspects of the CamlGang attacks include BestCrypt and Microsoft BitLocker which were used in cyberattacks targeting various industries.
Conclusion
The ChamelGang attacks underscore the escalating threat of state-sponsored cybercrime, targeting critical global infrastructure. Leveraging sophisticated malware and ransomware, these attacks highlight the need for robust cybersecurity measures. Continuous vigilance and advanced defenses are essential to counteract these evolving threats and protect sensitive data.
The sources for this piece include The Hacker News and Vulners.