China-linked APT targets corporate SQL databases for sensitive data  

A previously undocumented nation-state actor called Phantom Taurus now linked to China was discovered targeting government and telecom organizations across Africa, the Middle East and Asia.

In a Sept. 30 blog post, Unit 42 researchers said Phantom Taurus takes an interest in finding sensitive, non-public information in diplomatic communications, defense-related intelligence, and the operations of critical government ministries.

What sets Phantom Taurus apart from other China-linked advanced persistent threat (APT) groups is its distinctive set of tactics, techniques, and procedures (TTPs) that let the actor conduct highly covert operations and maintain long dwell times.

“Phantom Taurus latest activity moves beyond traditional email harvesting to directly targeting and exfiltrating high-value data from corporate SQL databases,” explained Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch.

Rucker added that Phantom Taurus’s new methodology is exceptionally difficult to detect as it relies on a custom, fileless malware suite called Net-Star, which operates entirely within the memory of IIS web servers.

“This malware leaves no footprint for traditional antivirus to find and was designed to actively blind modern security solutions like EDR by disabling critical Windows security monitoring features,” said Rucker.

“By combining in-memory malware with "living-off-the-land" techniques, threat actors can conducting espionage operations with long range dwell times.”

Trey Ford, chief strategy and trust officer at Bugcrowd, added that the in-memory lifecycle of the NetStar malware suite makes detection and forensic analysis over time more difficult: it leaves far fewer artifacts to investigate upon discovery, which only further obfuscates those artifacts because it manipulates timestamps.

“Longer term operational campaigns are clearly aligned with nation-state backing, and are best detected by well-funded, durable detection analysis teams, often found backed by vendors,” said Ford. “This kind of work is expensive to build in-house, and also hard to defend in an annual budget.