Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

Chinese Espionage Group Using Ransomware in Asian Campaigns

ChamelGang Actors Used CatB Ransomware to Evade Attribution and Analysis
Chinese Espionage Group Using Ransomware in Asian Campaigns
Image: Shutterstock

A Chinese cyberespionage group has been using ransomware as a distraction while conducting extensive and persistent espionage activities over the past three years.

See Also: 5 Real-Life Examples of Cyberattacks and How to Stop Them

Cybersecurity company SentinelOne said the espionage group it tracks as ChamelGang is targeting critical infrastructure organizations in East Asia and India. The group hit 37 organizations between early 2021 and mid-2023, and a vast majority of victims were in the manufacturing sector and located predominantly in the United States.

But the group shifted its focus to Asia in the past few years, targeting government and private organizations in Japan and Taiwan, an aviation company in the Indian subcontinent and regional healthcare and manufacturing organizations. The group also mounted a ransomware attack on India's premier healthcare institute and the presidency of Brazil. The incident in India fractured diplomatic relations between India and China (see: Ransomware Disrupts Indian Premier Hospital for 2nd Day).

By deploying ransomware that encrypts victim files and demands payment for decryption, these groups create immediate chaos and urgency within targeted organizations. This diversionary tactic effectively draws attention away from their primary objective: conducting extensive espionage operations in the compromised networks. Attackers use communication channels such as ProtonMail to conduct cyberespionage stealthily.

The group uses malicious ransomware tool called CatB to conceal its cyberespionage focus.

In an attack, ChamelGang plants new variants of BeaconLoader that masquerade as other Windows services or software components, resides in the system root folder and loads Cobalt Strike, which helps the attackers execute commands for reconnaissance and additional tools and exfiltrate files.

SentinelLabs said BeaconLoader implements control flow obfuscation and uses modified XOR-based string obfuscation techniques to evade detection through static analysis during the early stages of infection. The espionage group also deploys various publicly available hacking tools, such as SmartAssembly-protected SweetPotato and SharpToken executables for privilege escalation, as well as the Golang-implemented fast reverse proxy for routing malicious traffic. The group also uses Microsoft BitLocker and Jetico BestCrypt to encrypt endpoints as a means to demand ransom.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.