Salt Typhoon targets telcos again with backdoor GhostSpider malware
- Trend Micro discovers brand new backdoor called GhostSpider
- It can exfiltrate sensitive data and tamper with the OS
- It was used by a Chinese state-sponsored threat actor known as Salt Typhoon
Infamous Chinese state-sponsored threat actor Salt Typhoon has been seen using a brand new backdoor malware to target telecommunication service providers.
A report from cybersecurity professionals Trend Micro analyzed the backdoor, called GhostSpider, noting it is used in long-term cyber-espionage operations, with its key stealth mechanisms include remaining exclusively in memory, and encrypting its communication with the C2 server.
GhostSpider is capable of a number of things, including uploading malicious modules into memory, activating the module by initializing necessary resources, executing the primary loader function (data exfiltration, or system tampering), and closing the module to free memory and remain out of sight. Finally, it can adjust its behavior to avoid getting detected, while maintaining periodic communication with the C2 server.
Abusing endpoint flaws
The Washington Post noted US authorities recently notified 150 victims, most of which were in the D.C. area, that Salt Typhoon was eavesdropping on their communications.
In its report, Trend Micro added besides telecommunications, the Chinese target government entities, technology, consulting, chemicals, and transportation sectors in the U.S., Asia-Pacific, Middle East, South Africa, and other regions. To breach the systems, Salt Typhoon would exploit a number of flaws in different endpoints, including bugs in Ivant’s Connect Secure VPN, Fortinet’s FortiClient EMS, Sophos’ Firewall, and others.
While GhostSpider took all the limelight, Salt Typhoon was also spotted using other, never-seen-before variants, including a Linux backdoor called Masol RAT, a rootkit called Demodex, and a backdoor named SnappyBee.
Known as one of the more dangerous threat actors, Salt Typhoon mostly focuses on data exfiltration and surveillance, often aimed at government agencies, political figures, and key industries in the U.S. and allied nations. Some of its notable victims include major U.S. telecommunications providers such as T-Mobile, AT&T, Verizon, and Lumen Technologies.
Via BleepingComputer