An advanced persistent threat (APT) group, named Grayling by Symantec's cybersecurity unit, has been identified as a new threat to organizations in Taiwan, the US, and Vietnam. The group has been active between February and May 2023, with the majority of its targets being Taiwanese organizations across biomedical, IT, and manufacturing sectors. A government entity in the Asia-Pacific region was also targeted.
While Symantec could not definitively trace Grayling back to a specific geographical location, the heavy targeting of Taiwanese organizations suggests that the group likely operates from a region with strategic interests in Taiwan, which often implies a potential link to China.
In its modus operandi, Grayling appears to exploit web-facing assets for initial access, and uses a unique DLL sideloading technique to deploy a mix of custom malware and publicly available tools. In some instances, the threat actor deployed web shells before executing additional payloads. The tools observed included Havoc, Cobalt Strike, NetSpy, Mimikatz, various downloaders, and an unidentified payload.
Grayling was also seen exploiting a Windows vulnerability, CVE-2019-0803, a privilege escalation bug activated when the Win32k component fails to handle objects in memory correctly. Post gaining initial access to a victim’s environment, Grayling employed DLL sideloading through an exported API SbieDll_Hook to run various post-exploitation tools. The use of both custom and publicly available tools is a common trait among APTs as it enables them to bypass protections, remain undetected, and hinder attribution.
Symantec also pointed out that it is easier for attackers to use readily available tools rather than developing their own with similar features. They also noted that Grayling seemed keen on remaining undetected, as evidenced by the killing of processes to prevent detection. Even though no data exfiltration was observed, the activity and tools deployed suggest that the primary motivation behind this activity is intelligence gathering. The targeted sectors – manufacturing, IT, biomedical, and government – are typically targeted for intelligence gathering rather than financial gains.