In the intricate landscape of cyber threats, a previously unknown assailant has emerged, targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team, operating under Broadcom, has identified this threat actor as Grayling, associating them with a series of advanced persistent threat (APT) attacks that unfolded between February and May 2023.

Distinctive Tactics: DLL Side-Loading Unveiled

Grayling’s approach distinguishes itself through a unique DLL side-loading technique, employing a custom decryptor to deploy payloads. This method serves as a smokescreen, allowing the threat actor to navigate security solutions and Execute Malicious Code on Windows operating systems.

The initial breach involves exploiting public-facing infrastructure, followed by the deployment of web shells for persistent access. Grayling’s attack chains utilize DLL side-loading via SbieDll_Hook, loading an array of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, alongside tools like Mimikatz. Notably, Grayling terminates all processes listed in a file called processlist.txt.

A Closer Look at Tactics

DLL side-loading, a favored technique among threat actors, manipulates the Windows operating system to execute malicious code discreetly. By placing a malicious DLL with the same name as a legitimate DLL, Grayling capitalizes on the DLL search order mechanism, complicating attribution efforts.

Upon gaining initial access, Grayling takes multifaceted actions, from privilege escalation to network scanning and employing downloaders. Notably, there is no evidence of data exfiltration, pointing to motives centered around reconnaissance and intelligence gathering.

Attribution and Motivation

Grayling’s strategic use of publicly available tools hints at a deliberate effort to obfuscate attribution, while their emphasis on process termination underscores a priority for evading detection over extended periods. The extensive targeting of Taiwanese organizations suggests a regional nexus, indicating a potential strategic interest in Taiwan.

In the evolving realm of cybersecurity, Grayling represents a formidable and enigmatic player, employing sophisticated tactics to navigate the digital terrain while keeping their motives shrouded in the realms of intelligence gathering.