A prolonged cyber espionage campaign linked to Chinese state-sponsored actors has been uncovered, targeting South Korean academic, political, and government institutions. The operation, codenamed TAG-74 and attributed to Chinese military intelligence, poses a serious threat not only to South Korea but also to entities in Japan and Russia.
This campaign demonstrates a focused effort to engage in intellectual property theft and bolster China's geopolitical influence, particularly in light of its strategic relationship with the United States. The attackers employ sophisticated social engineering techniques, employing deceptive Microsoft Compiled HTML Help (CHM) files. These files serve as a delivery mechanism for a specially tailored variant of a widely available Visual Basic Script backdoor, known as ReVBShell. This backdoor then acts as a conduit to deploy the Bisonal remote access trojan.
ReVBShell is designed with stealth in mind. It adopts a strategy of intermittent dormancy, awaiting remote commands from a server that can dynamically adjust the sleep intervals. To obfuscate its command-and-control (C2) communications, it uses Base64 encoding.
The usage of ReVBShell has been linked to two other Chinese threat groups, Tick and Tonto Team. This highlights a significant degree of tool-sharing and collaboration among these actors. Bisonal, on the other hand, is a versatile trojan, capable of an array of malicious activities including information harvesting, executing files and commands, process termination, and the manipulation of files on the system.
TAG-74's association with the Tick group underscores the recurring trend of such collaboration among Chinese threat actors. The campaign is indicative of a sustained intelligence-gathering effort with South Korean targets as the primary focus. Given the historical targeting patterns and the potential scope of the group's operations, it is likely to remain highly active in its intelligence endeavors, extending its reach into Japan and Russia.
