Sophisticated Chinese Cyber Espionage Actor

According to researchers Twill Typhoon has used several innovative techniques to stay undetected during their attacks. Their tools include a malicious software called StarProxy that is launched via dll-sideloading that uses a fake TLS protocol to proxy traffic to the control-server.

They also use detection evasion tool called “Splat Cloak” that is a Windows kernel driver that allows the threat actor to disable EDR-related routines implemented by Windows Defender. Other researchers have found Twill Typhoon use methods to evade other EDR solutions too.

Assessment

Twill Typhoon is one of the most sophisticated cyber espionage groups. They conduct cyber espionage to further China’s national security objectives, but such objectives include industrial espionage and attempts to gain insider information to win tenders and bids. Truesec has previously handled incidents involving Twill Typhoon attacking organizations in the Nordic, including companies in the manufacturing and mining industry.

The ongoing trade war between USA and China, and the US administration’s tariffs that have disrupted global trade, will likely make China even more interested in gathering intelligence that can help them win the economic war with USA.

References

[1] https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1
[2] https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p2
[3] https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html