Image: Yan Ke (unsplash)
An extended cyber espionage operation by suspected Chinese actors has been noted, with South Korean academic, political, and government entities being primary targets.
Insikt Group of Recorded Future, which monitors this operation under the title TAG-74, has connected this group to China’s military intelligence. This entity reportedly presents a significant risk to sectors including academia, aerospace, defense, government, and politics in countries like South Korea, Japan, and Russia.
The digital security company has interpreted the specific attention to South Korean academic institutions as consistent with China’s overarching initiatives to acquire intellectual property and bolster its influence. This is further perceived as being influenced by South Korea’s strategic affiliations with the U.S.
The strategies deployed by TAG-74 include social engineering tactics which employ Microsoft Compiled HTML Help (CHM) files as bait. This then introduces a modified version of an open-source Visual Basic Script tool termed ReVBShell. This acts as a precursor to usher in the Bisonal remote access trojan.
The functionality of ReVBShell includes a feature allowing it to remain inactive for a set duration determined by a command from a distant server. This server can adjust the duration as required. To obscure its command-and-control (C2) communication, it employs Base64 encoding.
ReVBShell’s use has been associated with two additional groups believed to have ties to China, specifically Tick and Tonto Team. The latter group was recognized by the AhnLab Security Emergency Response Center (ASEC) in April 2023 for using an identical pattern of malware deployment.
Bisonal is versatile in nature, capable of collecting data about processes and files, executing commands, terminating processes, managing file transfers, and removing specific files from a system.
It has been mentioned that there’s a distinct relationship between TAG-74 and Tick, further underlining the recurring pattern of tool usage among these suspected Chinese cyber entities.
Recorded Future articulated that the activities of TAG-74 offer insights into their persistent intelligence acquisition objectives aimed at South Korean interests.
With their sustained focus on South Korean institutions over a significant period, and given the probable operational domain of the Northern Theater Command, it’s anticipated that TAG-74 will maintain their active role in long-term intelligence collection, not just in South Korea, but also in Japan and Russia.