A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity. Author: AlienVault
Related Tags:
SimayRAT
FatalRAT
Moudoor
Mydoor
gh0st RAT – S0032
Malaysia
DLL Sideloading
T1070.001
T1056.001
Associated Indicators:
7AD450932E55D2BB6C81DD01CB36A3134C12CF4BA51C743F3A88EB955868C1F9
013A681FF8C09B5FAB6218F4AA493627652C9EC7C6BA88291980B6E00E151201
A996E4C18AE4C4563DB0767CB230B24279DAEB3F62EE62B061D2EE076D81BDFD
20A418E0DE5890E79C9A628EEEBE1208244F5D90D12CF8124F4424C8720299CE
03045010BD0D618E7AA872E952ABB987891BEFDC5AB70B7F82BE30D4F64F6F93
9F61BC02326BCA563F45642167F5D40A2DB0BC40B137BAFB3E8C3318DB852199
559861AD0BE5526819650D26566AD6CA25DD0F54DF0A81352006E75A5DA3D92B
58ED95527D5DAE930308DC5862934BA6811216F4CD68F7AAC30ED8DF0B180EDA
07272A51D1F6A7BE8C45CC097BF821267D258EB2378D32C95C4601CD000366C9