Chinese cyber espionage actors, believed to be involved in an “Operation Soft Sell” campaign, have been targeting Middle Eastern telecom operators since early 2023.
The new series of attacks are part of what SentinelOne researchers described as “Operation Tainted Love,” a cyber espionage campaign that demonstrates a “well-maintained and versioned credential theft facility” and new dropper mechanisms.
SentinelOne senior threat researcher Aleksandar Milenkoski said in an advisory published today: “Once a foothold is established, attackers perform a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.”
Milenkoski emphasized that the deployment of its own credential-stealing malware is the main novelty of the new campaign. It relies on malware that incorporates modifications to the code of the Mimikatz post-exploit tool.
More information on threat actors using Mimikatz can be found here: ShadowPad-related hackers target Asian governments
A particular sample of malware (referred to as mim221 by SentinelOne) also had upgraded detection prevention capabilities.
“The use of dedicated modules that implement a suite of advanced techniques shows that the attackers are dedicated to evolving their toolset towards maximum stealth,” explains Milenkoski.
The security researcher also revealed that while the link to Operation Soft Cell was evident, the team was unable to directly attribute the campaign to a specific actor.
“This campaign has been publicly associated with Gallium, suggesting a possible connection to APT41 through the use of common code-signing certificates and tools that share code similarities. It has also been known to target providers.”
In any case, Milenkoski said the actors behind Operation Tainted Love will likely continue to upgrade their malware and target organizations in the Middle East.
“These threat actors will almost certainly continue to investigate and upgrade their tools, using new techniques to evade detection, such as integrating and modifying publicly available code,” he wrote. . “SentinelLabs continues to monitor espionage activity and hopes that defenders will leverage the findings presented in this post to strengthen their defenses.”
