Rust-based software, fake signatures, and communication with OceanLotus. What else will surprise the group?
In the period from 2022 to 2023, the Timitator group of cyber criminals actively attacked Chinese energy, scientific and military institutions. The attacks were carried out using phishing and other methods aimed at compromising the target systems.
The Timitator group used various malicious file formats, such as ".exe", ".chm", ".iso" and ".lnk". After the infected files were successfully launched, at the first stage, CobaltStrike was downloaded to establish a stable connection, and then custom malicious code was downloaded through it, allowing you to evaluate the network and develop individual attack plans for each infected device.
Recently, the Xunxinfo lab recorded a new batch of phishing instances of malicious software from Timitator. Instead of using CobaltStrike, they used a remote management tool written in Rust. Some of these files were provided with fake Microsoft signatures and descriptions disguising them as legitimate software.
Timitator grouping constantly uses the DLL Sideloading technique, combining legitimate programs with malicious libraries. For example, a malicious library was used together with the NitroSense temperature control system WTSAPI32.dll, and with Bitdefender antivirus — Log.dll. These malicious libraries were protected by the VMP shell, but due to the lack of a legitimate signature, their effectiveness against antivirus programs was reduced.
During the analysis, it was found that the first stage of loading the shellcode coincides with samples previously attributed to another hacker group-OceanLotus. This indicates a possible relationship between Timitator and OceanLotus.
Meanwhile, Timitator continues to actively attack key Chinese institutions, adapting its methods and tools to bypass modern security systems. The use of new tools based on Rust, as well as the forgery of signatures, indicate a high degree of preparedness and ingenuity of intruders.
In the period from 2022 to 2023, the Timitator group of cyber criminals actively attacked Chinese energy, scientific and military institutions. The attacks were carried out using phishing and other methods aimed at compromising the target systems.
The Timitator group used various malicious file formats, such as ".exe", ".chm", ".iso" and ".lnk". After the infected files were successfully launched, at the first stage, CobaltStrike was downloaded to establish a stable connection, and then custom malicious code was downloaded through it, allowing you to evaluate the network and develop individual attack plans for each infected device.
Recently, the Xunxinfo lab recorded a new batch of phishing instances of malicious software from Timitator. Instead of using CobaltStrike, they used a remote management tool written in Rust. Some of these files were provided with fake Microsoft signatures and descriptions disguising them as legitimate software.
Timitator grouping constantly uses the DLL Sideloading technique, combining legitimate programs with malicious libraries. For example, a malicious library was used together with the NitroSense temperature control system WTSAPI32.dll, and with Bitdefender antivirus — Log.dll. These malicious libraries were protected by the VMP shell, but due to the lack of a legitimate signature, their effectiveness against antivirus programs was reduced.
During the analysis, it was found that the first stage of loading the shellcode coincides with samples previously attributed to another hacker group-OceanLotus. This indicates a possible relationship between Timitator and OceanLotus.
Meanwhile, Timitator continues to actively attack key Chinese institutions, adapting its methods and tools to bypass modern security systems. The use of new tools based on Rust, as well as the forgery of signatures, indicate a high degree of preparedness and ingenuity of intruders.
