Salt Typhoon is once again targeting telecom companies with backdoor GhostSpider malware
- Trend Micro discovers a brand new backdoor called GhostSpider
- It can exfiltrate sensitive data and tamper with the operating system
- It was used by a Chinese state-sponsored threat actor known as Salt Typhoon
The infamous Chinese state-sponsored threat actor Salt Typhoon has been seen using a brand new backdoor malware to target telecommunications service providers.
A report from cybersecurity professionals Trend Micro analyzed the backdoor, called GhostSpider, and noted that it is used in long-term cyber espionage operations, where the main stealth mechanisms include staying exclusively in memory and encrypting communications with the C2 server.
GhostSpider is capable of a number of things, including uploading malicious modules to memory, activating the module by initializing necessary resources, performing the primary loader function (data exfiltration or system manipulation), and closing the module to free up memory and stay out of sight. Finally, it can adapt its behavior to avoid being detected while maintaining periodic communication with the C2 server.
Exploitation of endpoint errors
The Washingtonpost US authorities recently notified 150 victims, most of whom were in the DC area, that Salt Typhoon was listening in on their communications.
In its report, Trend Micro added that in addition to telecommunications, the Chinese are also targeting government agencies, technology, consulting, chemicals and transportation sectors in the US, Asia Pacific, the Middle East, South Africa and other regions. To breach the systems, Salt Typhoon allegedly exploited a number of flaws in various endpoints, including bugs in Ivant’s Connect Secure VPN, Fortinet’s FortiClient EMS, Sophos’ Firewall, and others.
While GhostSpider grabbed all the attention, Salt Typhoon was also spotted with other never-before-seen variants, including a Linux backdoor called Masol RAT, a rootkit called Demodex, and a backdoor called SnappyBee.
Known as one of the most dangerous threat actors, Salt Typhoon focuses primarily on data exfiltration and surveillance, often targeting government agencies, political figures and key industries in the US and related countries. Some of the notable victims include major US telecommunications providers such as T-Mobile, AT&T, Verizon and Lumen Technologies.
Via BleepingComputer