Suspected China-based cyber espionage group CL-STA-1087 targets Southeast Asian military organizations using custom malware AppleChris and MemFun to steal intelligence on military capabilities and Western collaborations.
A sophisticated cyber espionage campaign targeting Southeast Asian military organizations has been uncovered by Palo Alto Networks Unit 42, revealing a state-sponsored operation that has been active since at least 2020. The threat actor, tracked under the moniker CL-STA-1087, demonstrates the hallmarks of advanced persistent threat (APT) operations with its strategic patience and highly targeted intelligence collection.
According to researchers Lior Rochberger and Yoav Zemah, the campaign focuses on precision intelligence gathering rather than bulk data theft. "The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces," they noted. The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems.
Malware Arsenal: AppleChris and MemFun
The campaign employs a sophisticated malware toolkit including two backdoors named AppleChris and MemFun, along with a credential harvester called Getpass. The infection sequence begins with the deployment of AppleChris, which comes in different versions dropped across target endpoints following lateral movement to maintain persistence and evade signature-based detection.
AppleChris initiates contact with command-and-control (C2) servers to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation. Both AppleChris variants and MemFun are designed to access a shared Pastebin account, which acts as a dead drop resolver to fetch the actual C2 address stored in Base64-decoded format.
One version of AppleChris also relies on Dropbox to extract C2 information, with the Pastebin-based approach used as a fallback option. The Pastebin pastes date back to September 2020, indicating the long-term nature of this operation.
Evolution of the Threat
A second tunneler variant represents an evolution of its predecessor, using just Pastebin to get the C2 address while introducing advanced network proxy capabilities. To bypass automated security systems, some malware variants employ sandbox evasion tactics at runtime, triggering delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL) to effectively outlasting the typical monitoring windows of automated sandboxes.
MemFun operates through a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader, whose main purpose is to retrieve C2 configuration details from Pastebin, communicate with the C2 server, and obtain a DLL that triggers the execution of the backdoor. Since the DLL is fetched from the C2 at runtime, it gives threat actors the ability to easily deliver other payloads without having to change anything, transforming MemFun into a modular malware platform.
The execution of MemFun begins with a dropper that runs anti-forensic checks before altering its own file creation timestamp to match the creation time of the Windows System directory. Subsequently, it injects the main payload into the memory of a suspended process associated with "dllhost.exe" using a technique referred to as process hollowing. This allows the malware to run under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on disk.
Credential Harvesting and Operational Security
Also deployed in the attacks is a custom version of Mimikatz known as Getpass, which escalates privileges and attempts to extract plaintext passwords, NTLM hashes, and authentication data directly from the "lsass.exe" process memory. This tool enables the threat actors to maintain persistent access even if initial backdoors are discovered.
The campaign exhibits operational patience and security awareness, with the threat actor maintaining dormant access for months while focusing on precision intelligence collection. Unit 42 detected the intrusion set after identifying suspicious PowerShell execution, allowing the script to enter into a sleep state for six hours before creating reverse shells to the C2 server.
The exact initial access vector used in the attack remains unknown, but the sophisticated nature of the campaign suggests it may involve spear-phishing, supply chain compromise, or exploitation of network vulnerabilities. The attackers' focus on military capabilities, organizational structures, and Western military collaborations indicates a clear strategic objective aligned with state-sponsored intelligence gathering.
The campaign's longevity and sophistication highlight the persistent threat posed by state-sponsored cyber operations targeting military and defense organizations, particularly in regions of strategic interest to nation-state actors.
Comments
Please log in or register to join the discussion