In a significant shift in tactics, a Chinese cyberespionage group historically known for infiltrating Microsoft Exchange servers has turned its attention towards targeting databases. This threat actor, recently dubbed “Phantom Taurus” by researchers from Palo Alto Networks’ Unit 42, has been actively involved in cyber activities affecting geopolitical events across Africa, the Middle East, and Asia. The group’s recent operations have highlighted a continued evolution in their hacking strategies, moving from email surveillance to more direct data extraction from databases.
Palo Alto’s Unit 42 has identified that Phantom Taurus shares some infrastructure with other well-known Chinese nation-state groups, such as APT27 and Winnti. Despite these shared attributes, Phantom Taurus operates with distinct components that suggest a level of operational separation within this network. This indicates a sophisticated approach to cyber espionage, utilizing both common tools like the China Chopper web shell and customized malware such as the newly identified “Net-Star.”
Net-Star is a .NET malware suite specifically designed to target Microsoft Internet Information Services (IIS) web servers. It employs a fileless backdoor, known as IIServerCore, which operates within the IIS server’s w3wp.exe process. This sophisticated malware suite allows the threat actor to maintain persistence and execute further malicious activities in a stealthy manner, making detection challenging.
The group’s shift in focus is further exemplified by their use of a script named mssq.bat, which facilitates direct access to SQL Server databases. By using credentials stolen in previous attacks, the script enables the execution of database queries and the extraction of valuable data in the form of CSV files. This new tactic underscores the group’s strategic pivot from merely monitoring communications to directly exfiltrating sensitive information from targeted organizations.
The existence of Phantom Taurus was first noted by Unit 42 in June 2023, when unusual activity was detected on an Exchange server. Subsequent investigations revealed the use of an in-memory VBscript implant, linked to the threat actor. Further connections to Chinese cyber operations were established in May 2024, following the deployment of backdoors suspected to be based on Ghost RAT’s source code. This malware, associated with past Chinese cyber campaigns, underscores the persistent and evolving threat posed by Phantom Taurus and similar groups in the realm of cyberwarfare and espionage.