Pierluigi Paganini September 25, 2023

A stealthy APT group tracked as Gelsemium was observed targeting a Southeast Asian government between 2022 and 2023.

Palo Alto Unit42 researchers an APT group tracked as Gelsemium targeting a Southeast Asian government.

The experts tracked the cluster as CL-STA-0046, the malicious activity spanned over six months between 2022-2023.

The activity was characterized by the use of a combination of rare tools and techniques to gain access to the target network and collect intelligence from sensitive IIS server.

Gelsemium is a group focused on cyberespionage that has been active since at least 2014. The previous campaigns associated with this group targeted government, education, and electronic manufacturers in East Asia and the Middle East.

The activity of the group was described by ESET in June 2021, the experts pointed out that the group’s abilities allowed the APT to remain mostly under the radar.

The APT group was observed using an array of web shells along with the OwlProxy and SessionManager backdoors.

The threat actor leveraged several web shells for initial access to a compromised web server, including reGeorg, China Chopper, and the AspxSpy web shell. The experts noticed that one of the AspxSpy web shells employed by Gelsemium was reportedly used by Iron Taurus (aka APT 27) for the operation Iron Tiger in 2015.

The group also used web shells to perform basic network reconnaissance, moved laterally via SMB, and fetched additional tools. Threat actors also used additional tools, including OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.

During Unit42’s investigation, the experts observed several unsuccessful attempts to install a variant of the custom backdoor SessionManger on a compromised web server.

OwlProxy is a unique and custom tool used by the group. OwlProxy is an HTTP proxy with backdoor functionality, it was first spotted in April 2020 in an attack targeting the Taiwanese government.

“Unit 42 assesses with moderate confidence that the activity observed in CL-STA-0046 is associated with the Gelsemium APT group. This assessment is based on the unique combination of malware that attackers used in CL-STA-0046, namely the SessionManager IIS backdoor and OwlProxy.” concludes Palo Alto Networks. “CL-STA-0046 is one of three clusters that we observed targeting the government sector in a country in Southeast Asia. Unit 42 associates the activity observed by the threat actor behind CL-STA-0046 to the Gelsemium APT group with a moderate level of confidence.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gelsemium APT)