Salt Typhoon unleashes ‘GhostSpider’ on telecoms

The China-linked threat actor known as Salt Typhoon has been observed deploying a new backdoor called ‘GhostSpider’ in its ongoing campaign targeting telecommunication service providers (TSP).

GhostSpider is a modular backdoor specifically perfectly suited for long-term espionage operations. It's deployed using DLL hijacking and registered as a legitimate service via 'regsvr32.exe', while its encrypted payload is loaded into memory by a secondary loader. Its encryption and the fact that it’s loaded solely into memory make it difficult for anti-virus software to detect.

Once installed, GhostSpider is capable of exfiltrating information, loading additional malicious modules, and conducting other tasks such as removing itself from memory to increase its stealth. These functions are executed when instructions are received from its command and control (C2) server, which are concealed within HTTP headers or cookies to blend with legitimate traffic.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

In addition to the new backdoor, Salt Typhoon was also observed using previously identified tools such as Masol RAT, a Linux backdoor, the Demodex rootkit and a modular backdoor called SnappyBee whose use is often shared amongst China-linked threat actors.

Salt Typhoon primarily used GhostSpider in attacks targeting Southeast Asia-based TSPs while SnappyBee was reserved for attacks targeting the Taiwanese government and chemical producers. Both campaigns also relied on the Demodex rootkit to maintain persistence.

Salt Typhoon is known to gain initial access to networks of interest by exploiting multiple vulnerabilities in public-facing endpoints such as VPNs, Firewalls, and exchange servers. The group then uses native tools to gather data for exfiltration and lateral movement.

Source: Bleeping Computer

Analysis

The deployment of the GhostSpider backdoor is a new development in Salt Typhoon’s campaign targeting global TSPs, Internet Service Providers (ISP), and critical infrastructure. As detailed in Field Effect’s recently released analysis, Unsecured lines: Analyzing China’s cyberattack on U.S. telecoms, this campaign poses a significant risk and could have a major impact on the national security of countries in which these victims are located.

Salt Typhoon is one of the most aggressive cyber threat groups emanating from China given its high pace of operations, high-profile compromises, and impact on global security. Thus, it is important that organizations fitting the group’s targeting profile (e.g. TSPs, ISPs, critical infrastructure) deploy adequate security controls to ensure the risk posed by Salt Typhoon is mitigated to the fullest extent possible.   

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat actors like Salt Typhoon. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Given this recent malicious activity, TSPs, ISPs, and Taiwan and U.S.-based critical infrastructure organizations should implement strict security measures, including enabling multi-factor authentication, logging, traffic monitoring, and providing employees with anti-phishing training.

Related Articles

• U.S. confirms politicians targeted in Salt Typhoon telecom breach
• Unsecured lines: Analyzing China’s cyberattack on U.S. telecoms
• U.S. telecoms breached by China-linked hackers
• Volt Typhoon infiltrates networks of US critical infrastructure