Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
APT24 Deploys BADAUDIO Malware in Years-Long Espionage Campaign Targeting Taiwan
Advertisements

The advanced persistent threat group APT24, also known as Pitty Tiger and Rancor, has been linked to a years-long cyber-espionage campaign that deployed a novel malware named BADAUDIO. This operation, part of a broader campaign dubbed “Trolling Twin,” primarily focused on targets in Taiwan, with its infrastructure affecting over 1,000 domains worldwide. The group’s activities have been documented by cybersecurity researchers who analyzed the custom tools and techniques used for data exfiltration.

BADAUDIO’s Stealthy Exfiltration Method

The centerpiece of this campaign is the BADAUDIO malware, a sophisticated data exfiltration tool. Its primary function is to steal sensitive information and encode it into the WAVE audio file format. This unique technique uses MIDI-like audio tones to represent the stolen data, making it difficult to detect through conventional network monitoring. Researchers observed that the malware abuses the legitimate Windows Audio Codec Manager, specifically the msacm32.drv library, to carry out its encoding and compression operations. This method allows the threat actor to exfiltrate data from compromised networks under the guise of normal audio traffic.

Campaign Targets and Infrastructure

The espionage campaign conducted by APT24 demonstrated a clear focus on entities within Taiwan, including government organizations and technology firms. The operation’s reach was extensive, utilizing a command-and-control (C2) infrastructure that involved more than 1,000 domains. To support its operations, the threat actor compromised network devices, including routers from manufacturers like ASUS and DrayTek, to use as C2 servers. In addition to BADAUDIO, the group was also observed using other hacking tools such as the PLUGX remote access trojan (RAT) and Cobalt Strike during their intrusions.

The consistent and long-term nature of this campaign highlights the persistent threat posed by APT24. The use of custom malware like BADAUDIO demonstrates the group’s investment in developing specialized tools to achieve its espionage objectives against specific geopolitical targets.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading