ChamelGang attacks on global infrastructure sectors

According to recent media reports, threat actors linked to China and North Korea have been found to be targeting government and critical infrastructure sectors across the world. The most notable event among them is the ChamelGang attacks. The CamoFei ransomware attacks took place between 2021 and 2023 and targeted the All India Institute of Medical Science (AIIMS), Presidency of Brazil, and other government entities in East Asia.

In this article, you will learn what attack tactics were used and how these attempts were carried out.

Chamel Gang Attacks Decoded

In 2021 and 2023, cyberattacks on government and other critical infrastructure sectors have been on the rise worldwide. Cybersecurity firms Sentinel One and Recorded Future have obtained detailed analysis of these attacks. The firms have linked the behavioral characteristics of these cybercrimes to ChamelGang attacks.

In addition to this group of threat actors, certain activities common during these attacks have been linked to state-sponsored groups in China and North Korea. Both ransomware and data encryption techniques have been identified as being used during these attacks.

Commenting on the use of ransomware, security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele said:

“Cyber-espionage threat actors are engaging in an increasingly disturbing trend of using ransomware as the final stage of their operations for financial gain, disruption, distraction, misattribution, or evidence disposal.”

Effectiveness of using ransomware attacks

Ransomware attacks are effective in this context because they allow threat actors to achieve their financial and disruption goals. However, ransomware attacks also allow threat actors to remove evidence that could later be used for identification and would alert defenders. Reports claim that in the case of ChamGang attacks, the group’s known motives include intelligence gathering, financial gain, data theft, and denial-of-service (DOS) attacks.

ChamelGang attacks Arsenal

This group of threat actors is known to have a wide range of tools in their arsenal. Common examples of such tools include BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe. Additionally, the group also uses a common strain of ransomware known as CatB.

The use of this ransomware strain was seen in attacks where the group targeted Brazil and India. The presence was evident from the format of the contact email address, the filename extension of the encrypted files, and the cryptocurrency wallet address.

Cyberattacks observed in 2023 used an updated version of BeaconLoader. It was used to deliver Cobalt Strike to provide reconnaissance and post-exploitation activities, which include tools and exfiltration of the NTDS.dit database file.

It is also worth mentioning that custom malware was also used in ChamelGang attacks. Both DoorMe and MDDrive were associated with other Chinese threat groups such as REF2924 and Storm Cloud. Other aspects of CamlGang attacks include BestCrypt and Microsoft BitLocker, which were used in cyberattacks targeting various industries.

Application

The ChamelGang attacks underscore the growing threat of state-sponsored cybercrime targeting critical global infrastructure. Leveraging sophisticated malware and ransomware, these attacks underscore the need for robust cybersecurity measures. Continuous vigilance and advanced defensive measures are essential to counter these evolving threats and protect sensitive data.

The sources of this text are The Hacker News and Vulners.

The article ChamelGang attacks on global infrastructure sectors appeared first on TuxCare.

*** This is a syndicated Security Bloggers Network blog from TuxCare, authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/chamelgang-attacks-targeting-global-infrastructure-sectors/