Cybersecurity researchers at Natto Thoughts recently discovered that Chinese hackers have been actively abusing open-source tools like Nmap to launch cyber attacks.
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. This network scanner tool is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Chinese state-sponsored threat groups, such as APT41, APT10 (aka menuPass, Stone Panda, POTASSIUM), GALLIUM (aka Granite Typhoon), Stately Taurus (aka Mustang Panda), APT40 (aka TA423, Red Ladon, BRONZE MOHAWK, Gingham Typhoon) always employ well-planned attention on reconnaissance aspect, techniques and tools in their cyber operations.
They make extensive use of network scanning utilities such as Nmap and NBTscan to perform footprinting and locate vulnerable targets.
NBTscan uses TCP/IP to scan and search through a computer network, specifically for NetBIOS name information. It then also provides IP address, NetBIOS computer name, current login, and MAC address.
Technical Analysis
APT40 utilizes the ScanBox reconnaissance framework in phishing campaigns, customizing it to impersonate news websites.
These threat actors target diverse sectors, including telecommunications, managed IT service providers, government agencies, and critical infrastructure.
They exploit vulnerabilities, some dating back to 2017, and use a mix of off-the-shelf and locally developed tools for network discovery, lateral movement, and data exfiltration.
Some of the known operations are Operation Cloud Hopper (APT10), Operation Soft Cell (APT10), and the more recent APT40 activities, including the 2024 “APT40 Advisory” provided by the Five Eyes intelligence partnership.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
These groups are known to use tools like modified NBTscan, Nmap, and custom malware to scan for open ports, identify system information, and map network topologies.
The persistent use of these techniques over the past decade, combined with sophisticated social engineering tactics, which highlights their effectiveness in long-term cyber espionage campaigns targeting global entities.
Operation Diplomatic Specter and Earth Krahang is one of the recent cyber espionage campaigns that illustrates the evolving tactics of Chinese-linked APT groups.
These threat actors employ a mix of established and novel reconnaissance tools to target governmental entities in the Middle East, Africa, and Asia.
In addition to web scanning and NBTscan for network exploration, the TGR-STA-0043 group behind Operation Diplomatic Specter uses tools like LadonGo.
Researchers also adopted a new penetration testing toolkit dubbed “Yasso,” it comes with SQL injection capabilities and remote shell functionalities.
It’s possible that Earth Krahang has connections to an IT company named i-Soon. It also has an infrastructure for utilizing open-source scanners such as SQLmap for database vulnerabilities, Nuclei for template scanning, and POCsuite for uncompromised penetration testing.
These groups target more current political issues and seek to obtain confidential information from diplomatic, military, and political leaders and operations.
Database tools and other advanced commands are available in Yasso, and it seems to direct operations that are more focused on command.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform - Watch Free Webinar