A technical cyber espionage operation that advanced, credited to UTA0388, a major new adversary from the China-affiliated threat actor. In their latest campaign, they have brought to bear a malware tool named GOVERSHELL. This campaign largely functions through spear-phishing emails meant to deceive their recipient into downloading malicious software. Security researchers have documented the sophisticated tactics UTA0388 employs to execute its procedure. This finding illustrates the creativity of dangerous new tactics that cybercriminals are still out there creating.
It begins with phishing emails sent en masse to the victim’s organization with links leading to a fraudulent Cloudflare CAPTCHA verification page. Once on this spammy page, users are tricked into downloading a ZIP archive that contains a Windows shortcut file. When you run this shortcut, a PowerShell script is fired off. This script opens a decoy business proposal document while silently executing PlugX through DLL side-loading techniques. This multi-layered approach allows UTA0388 to evade conventional defenses with aplomb.
GOVERSHELL Variants and Capabilities
Five different variants of GOVERSHELL have been discovered to date, each one loaded with different capabilities. HealthKick comes with the ability to run arbitrary commands via cmd.exe. TE32 executes commands directly via a PowerShell reverse shell.
TE64 does a great job at getting system information and getting the current system time. It’s capable of running commands via powershell.exe and checking in with a remote command & control server for new commands. Another variant, known as Beacon, focuses on running native and dynamic commands using PowerShell. Lastly, it can set base polling intervals for different types of metrics and randomize them at any time.
WebSocket can run PowerShell commands with powershell.exe. It’s got an unimplemented “update” sub-command as well, hinting at possible future improvements. UTA0388 has shown that it can pivot its tactics efficiently. It allows them to customize their strategy to address the precise goals and targets of each unique campaign.
Phishing Techniques and Infrastructure
Investigators were able to follow the phishing emails downloaded at the consulate connecting them back to legitimate email services. Protecting your email, including services like Proton Mail, Microsoft Outlook, and Gmail. These messages are designed to look convincing, including mimicking the names of top researchers or analysts from fake entities.
Volexity, a cybersecurity firm, noted that “the initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations.” The goal of these spear phishing campaigns is clear: to socially engineer targets into clicking links that lead to a remotely hosted archive containing a malicious payload.
Even legitimate cloud services such as Netlify, Sync, and OneDrive have been abused to host the archive files. This highly technical, yet ingenious, use of trusted platforms makes detection even more difficult, allowing the malware to camouflage itself in legitimate web traffic.
Automation and Scale of Attack
Based on our investigation, UTA0388 probably employs automation-based tools. Largely built on large language models (LLMs), it enables the rapid creation and dissemination of text-based content with minimal human effort. This degree of automation allows the threat actor to better scale its operations and target as many victims at a time as they choose.
Beyond alarmingly weak standards and terrible repercussions for people and companies alike, the implications of these tactics are many. These risks are amplified by the fact that as cyber threats continue to grow in sophistication, so must our cybersecurity efforts. Organizations need to be on the lookout for spear-phishing opportunities. They must adequately train their workforce to identify and report any unusual communications.