A sophisticated cyber campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The operation, dubbed DRAGONCLONE, utilizes VELETRIX and VShell malware to infiltrate systems. The attack chain begins with a malicious ZIP file containing executable files and DLLs, exploiting DLL sideloading against Wondershare Repairit software. VELETRIX, a loader, employs anti-analysis techniques and IPFuscation to decode and execute VShell, a cross-platform OST framework. The campaign shows infrastructure overlaps with known China-nexus threat actors like UNC5174 and Earth Lamia. The attackers utilize various tools including Cobalt Strike, SuperShell, and Asset Lighthouse System for reconnaissance and post-exploitation activities. Author: AlienVault
Related Tags:
unc5174
asset lighthouse system
earth lamia
veletrix
china-nexus
Supershell
T1497.003
cve-2024-1709
T1588.002
Associated Indicators:
AC6E0EE1328CFB1B6CA0541E4DFE7BA6398EA79A300C4019253BD908AB6A3DC0
BA4F9B324809876F906F3CB9B90F8AF2F97487167BEEAD549A8CDDFD9A7C2FDC
2206CC6BD9D15CF898F175AB845B3DEB4B8627102B74E1ACCEFE7A3FF0017112
BB6AB67DDBB74E7AFB82BB063744A91F3FECF5FD0F453A179C0776727F6870C7
A0F4EE6EA58A8896D2914176D2BFBDB9E16B700F52D2DF1F77FE6CE663C1426A
40450B4212481492D2213D109A0CD0F42DE8E813DE42D53360DA7EFAC7249DF4
37A37BC7255089FDD000FEB10780C2513C4416C8
F8CF927CB2BAF893B136BC5D90535D193FC73B75
BA8E2015FD0ABE944D6B546088451FF05DD24849