In the period from 2022 to 2023, the cyber threat group Timitator actively attacked Chinese energy, scientific, and military institutions. The attacks involved the use of phishing and other methods to compromise target systems. (Source: CTFIOT)
The Timitator group employed various malicious file formats, including “.Exe”, “.chm”, “.ISO”, and “.LNK”. They utilized Cobaltstrike to establish a stable connection after launching infected files, followed by loading custom malicious code to assess the network and develop individual attack plans for each infected device.
Recently, the Xunxinfo laboratory discovered a new batch of phishing specimens of harmful software from Timitator. Instead of Cobaltstrike, they used a remote control tool written in Rust. Some of these files were camouflaged with fake Microsoft signatures and descriptions to appear as legitimate software.
Timitator consistently employs the DLL Sideloading technique, which involves combining legitimate programs with malicious libraries. Examples include using the WTSAPI32.dll malicious library with the Nitrosens temperature control system and the log.dll with Bitdefender antivirus. These malicious libraries were protected by the VMP shell, but their effectiveness against antiviruses was reduced due to the lack of a legitimate signature.
Analysis revealed that the initial loading stage of Shell-code in Timitator’s attacks overlapped with samples previously associated with another hacker group – Oceanlotus. This suggests a potential connection between Timitator and Oceanlotus.
Despite ongoing efforts by Timitator to attack key Chinese institutions, adapting methods and tools to evade modern protection systems, their use of new RUST tools and fake signatures highlights the attackers’ high level of preparedness and ingenuity.