GBHackers News reports that Taiwan and Japan are having their mechanical engineering and educational organizations primarily targeted by the newly emergent Swan Vector advanced persistent threat operation in attacks that were initially discovered last month.
Intrusions commenced with the distribution of spear-phishing emails containing a malicious ZIP file containing an LNK file, which downloads an executable that triggers the Pterois DLL implant, an analysis from Seqrite Labs revealed. After leveraging dynamic API resolution and covertly loading appropriate library functions, Pterois then exploits Google Drive for command-and-control and authenticates OAuth credentials for further payload retrieval before proceeding with self-deletion. Further DLL sideloading then enables the execution of the Isurus implant that performs API resolution and encrypted Cobalt Strike shellcode execution before deploying the Cobalt Strike beacon. Swan Vector, which was first identified in December, was also noted by researchers to employ tactics akin to the APT10, Lazarus, and Winnti threat operations.
Intrusions commenced with the distribution of spear-phishing emails containing a malicious ZIP file containing an LNK file, which downloads an executable that triggers the Pterois DLL implant, an analysis from Seqrite Labs revealed. After leveraging dynamic API resolution and covertly loading appropriate library functions, Pterois then exploits Google Drive for command-and-control and authenticates OAuth credentials for further payload retrieval before proceeding with self-deletion. Further DLL sideloading then enables the execution of the Isurus implant that performs API resolution and encrypted Cobalt Strike shellcode execution before deploying the Cobalt Strike beacon. Swan Vector, which was first identified in December, was also noted by researchers to employ tactics akin to the APT10, Lazarus, and Winnti threat operations.
