A China-linked cyberespionage group has targeted a high-level government agency in Southeast Asia by deploying a backdoor known as ‘BadAudio’. The attackers, identified by researchers at Yoroi as ‘Red Sesnsa’, utilized a supply chain attack to distribute the malware by compromising a legitimate software developer’s website.

The threat actor compromised the official website of a software company named Cecurity. By doing so, they were able to replace legitimate installers for voice transcription software with trojanized versions containing the BadAudio malware. This method ensures that victims downloading the software directly from the official source would inadvertently infect their systems.

Attack Vector: Trojanized Transcription Software

The supply chain attack focused on the installers for two specific applications: ‘Cecurity-En’ and ‘Cecurity-Vn’. These applications are designed for voice transcription and are used by various government organizations. The attackers successfully embedded the BadAudio payload within the legitimate installation packages. When an unsuspecting user executed the installer, the legitimate software was installed along with the malicious backdoor, allowing the attackers to gain access to the target’s network.

The ‘BadAudio’ Backdoor and Infrastructure

The ‘BadAudio’ malware functions as a backdoor, providing the attackers with remote command execution capabilities on an infected device. The malware establishes persistence on the host system to ensure it remains active even after a system reboot. For communication, BadAudio connects to a command-and-control (C2) server using a custom binary protocol over raw TCP sockets. Analysis of the C2 infrastructure used in this campaign has shown overlaps with servers previously associated with other China-linked advanced persistent threat (APT) groups, including the Tonto Team, also known as CactusPete.