attackers take advantage of legitimate cloud computing services to manage malware and deploy an attack process, which includes many complex stages to bypass the censorship of degradation detection systems. Thereby, bad guys can spread malware on the victim's network system, install remote control tools, take control of devices, steal and delete sensitive information.
The campaign targets government agencies and heavy industrial organizations in many countries and territories in the Asia-Pacific (APAC) region, including Taiwan (China), Malaysia, China, Japan, Thailand, Hong Kong (China), South Korea, Singapore, the Philippines and Vietnam.
hackers use crashes containing malicious code, disguised as tax-related documents, and disseminated through email fraud campaigns and messaging apps such as WeChat and Telegram. After the complex multi-layered malware installation process is installed on the system, cybercriminals will install a malware called FatalRAT.
To avoid detection and prevention, hackers have used a variety of techniques. Accordingly, they constantly change the control server andload malicious code to reduce the possibility of traceability. hackers store malware on legitimate websites to bypass security systems, exploit vulnerabilities in legitimate software to launch attacks, and take advantage of the legitimate functions of the software to activate malware. In addition, they also encrypt messages and network traffic to conceal unusual activities
Kaspersky named the campaign SalmonSlalom to describe how cybercriminals skillfully bypass cyber defense systems with sophisticated tactics and constantly change the way, similar to salmon overcoming waterfall, a arduous journey that requires endurance and skill to overcome obstacles.
To proactively protect heavy industrial organizations from this attack, Kaspersky recommends the following measures:
- Always be enabled and require two-factor authentication (2FA) when logged into the administrative account and web interface of security solutions.
- Install the latest version of centralized security solutions throughout the system, while regularly updating the database to kill viruses and program modules.
- Make sure the entire system activates all components of the security solution. In addition, it is necessary to establish a security policy to prevent disabling, terminating or removing protection components without entering the administrative password.
- Update information on the latest threats to groups of systems that are not restricted to using cloud security services as prescribed by law.
- Update the operating system and application to the latest version released by the supplier, and install security patches to minimize the risk of vulnerability exploitation.
- Deploy a reputable security monitoring system (SIEM).
- Use EDR/XDR/MDR solution to establish a basis for monitoring the decentralization structure of processes in the OT environment (operating technology). This is an important recommendation, stemming from the fact that a legal function of a legalladen file has been exploited to carry out the toxic load in the following stages.
