2025-02-24 Operation SalmonSlalom

📃Title: Operation SalmonSlalom
📅Date: 2025-02-24
🔗References:

• https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets

Description

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: malware-analysis
• target: targeted
• MY-relevancy: relevant
• action-taken: diamond-model
• topic: ics-ot

🔖MISP Galaxies:

• target-information=“Taiwan”
• target-information=“Malaysia”
• target-information=“China”
• target-information=“Japan”
• target-information=“Thailand”
• target-information=“Hong Kong”
• target-information=“Singapore”
• target-information=“Philippines”
• producer Kaspersky
• malpedia=“FatalRat”
• target-information=“South Korea”
• target-information=“Vietnam”
• sector=“Construction”
• sector=“Energy”
• sector=“Government, Administration”
• sector=“IT”
• sector=“Industrial”
• sector=“Logistic”
• sector=“Manufacturing”
• sector=“Telecoms”
• sector=“Transport”
• mitre-attack-pattern=[‘T1033’, ‘T1056.001’, ‘T1547’, ‘T1543.003’, ‘T1082’, ‘T1071’, ‘T1140’, ‘T1055’, ‘T1218’, ‘T1112’, ‘T1070.001’, ‘T1059’, ‘T1083’, ‘T1102’, ‘T1057’, ‘T1027’, ‘T1573’, ‘T1012’, ‘T1132’, ‘T1518’, ‘T1574.002’, ‘T1105’, ‘T1193’, ‘T1566.001’, ‘T1194’, ‘T1566.003’, ‘T1204’, ‘T1027.002’, ‘T1045’, ‘T1484.001’, ‘T1055.001’, ‘T1059.005’, ‘T1497’, ‘T1547.001’, ‘T1487’, ‘T1561.002’, ‘T1485’]

MISP event uuid: 7238406a-dac3-41b6-a63e-4671822af814

Indicator of Compromise (IoCs)

type,value,comment
md5, 02fb1958a901d7d1c8b60ecc0e59207c, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 04aa425d86f4ef8dc4fc1509b195838a, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 096c34df242562d278fc1578dc31df92, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 09a50edb49cbb59a34828a37e63be846, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 0a49345c77da210ab0cd031fda6bc962, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 0a70ea6596c92fbfb461909ed57503fa, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 0b20f0ff1aaff4068f99f4db69ba9c1e, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 142eb5106fcc2f95b7daf37dca970595, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 15b7990bd006d857ee02c529b45783ac, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 1e80a8b3f4efb4bb27771d729f5ced85, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 2026ead0c2366d049ecd5e42ac1b1b07, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 24ecb197ee73e5b1eef2ded592640cf2, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 26f0806932dfd029f0fe12e49bb4c799, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 2aa41ae3d3ae789147218652e6593161, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 2bccd50322afb7a349c163ce9b76bb66, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 357534f6a2bffa77b83501715e382a94, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 362fc5799ecef8e9e328cfbf6272c48f, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 3843ef98a4c7ee88f10078e6a38f15ee, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 44b47fdab8ca3375fe5a875deefa265c, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 502054d938a18172a3657aaf2326bcf4, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 50a5c5a3c07f04d96f5f1968996cfb74, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 58a8daae643a84c112ddc6e79c750271, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 58e44c4d797cecfed42c1fdf18c2d5f9, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 58fe500e022ea1aeebbe72c4ce694531, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 5b730131c3271820c03d711f2549b894, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 5d7fba23a44683c0b471d9a7cc7f5042, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 63562347202715eff0e7f2d6ad07a2aa, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 63c600434def54157204765619838372, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 64013e613a0130cb1b7845139537bc5e, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 64fdeed776cfd5e260444ae2e4a5b1a4, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 699ad2a5b6d9b9b59df79e9265ebd47a, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 6a5e3776c3bfdadd899704589f28e9fd, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 6a73f3bab8fb205ed46e57cf076b6f6d, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 771a5d8fc6829618f15abe49796d1c44, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 790cf080abb18af471d465998b37fd1b, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 797d111244805e897db5c21010ee8e12, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 7ba376f5a71ffa21a92c7b35c3b000eb, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 82394a97458094b1cb22c4e243f4e9db, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 8c0599c0a6b7ffaff93762d0c3ea2569, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 8da2c4796c439f4a57536bd5c5d3f811, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 8e474f9321fc341770c9100853eb41eb, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 9037ccfcd3d3d1542089d30d3041db1c, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 936c16a64432348176f9183cd1524cef, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 93f12cbfb9ba1a66d3a050a74bab690b, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 949f086c40cfc5144243a24688961414, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 9636309c41e8a33507c349b8e9053c49, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 9bf2e34511619b7c4573c3974bdbaa39, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 9e8a08fcddb10db8d58e17b544d81bff, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, a009b341aa6f5bda61300dc5e7822480, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, a7b20338dd9ed5462ddff312b67556e9, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, ad216eaf11500eb73c6cdafc18cb49d8, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, b0c315c5dcda6e4442280c07b11d1ba5, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, b37917ea3849607d02d330130a823567, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, b3f8f1272813bff80630b9caab6e5089, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, b5c46f829fed11b4ddc2e155dc5cf974, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, bc36b1be438f92fe5f9a47f13244503e, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, bd6b8574738c7589887b61d4fad68fce, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, bdd68e7733c09fad48d4642689741ea4, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, be15a198f05eb39277720defa9188f62, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, c4579aa972d32e946752357ca56ee501, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, c555cc05f9d16b9e9222693e523e0ba5, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, c89a4a106619c67b8410efa695d78ef3, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, ca7dc49e80b2a77677718c72f3cc6bc1, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, cbc36deadef17a4c315cbbff3f74439f, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, d35635e8d07b923d1e89f541d4f03b90, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, d494efc086447c543d0c3c7beecf2bc6, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, dded5d108b6a9ee50d629148d8ed4ec5, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, df6f5f4b7b8ba3c2c0ddc00d47e33218, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, e32020ab02e11a995effb7781aabd92f, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, e6ef56c91bd735542775dfef277e0cc7, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, e91991304abf5d881545bc127e7fb324, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, eb9419aa5c6fee96defad140450a9633, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, ec0bdf52c113487e803028dbc52e8173, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, f9e461cc83076d5f597855165e89f0db, 'first stage loader No sample in VT\r\nLast check:08/03/2025'
md5, 02477e031f776539c8118b8e0e6663b0, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 15962f79997a308ab3072c10e573e97c, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 172ee543d8a083177fc1832257f6d57d, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 1fe3885dea6be2e1572d8c61e3910d19, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 249f568f8b8709591e7afd934ebea299, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 3ec20285d88906336bd4119a74d977a0, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 43156787489e6aa3a853346cded3e67b, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 46630065be23c229adff5e0ae5ca1f48, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 5be46b50cac057500ea3424be69bf73a, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 635f3617050e4c442f2cbd7f147c4dcf, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 675a113cdbcce171e1ff172834b5f740, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 68a27f7ccbfa7d3b958fad078d37e299, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 7ac3ebac032c4afd09e18709d19358ed, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, 9d34d83e4671aaf23ff3e61cb9daa115, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, a935ef1151d45c7860bfe799424bea4b, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, ebc0809580940e384207aa1704e5cc8e, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, eca08239da3acaf0d389886a9b91612a, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
md5, fb8dc76a0cb0a5d32e787a1bb21f92d2, 'FatalRAT final payload No sample in VT\r\nLast check:08/03/2025'
domain, microsoftmiddlename.tk, ''
domain, cloudservicesdevc.tk, ''
domain, novadector.xyz, ''
domain, microsoftupdatesoftware.ga, ''
domain, 0a305ffb2a1d41f6870eac02f9afce89.xyz, ''
domain, xindajiema.info, ''
domain, vip033324.xyz, ''
hostname, 101.kkftodesk101.top, ''
hostname, 102.kkftodesk102.top, ''
hostname, 104.kkftodesk104.top, ''
hostname, 105.kkftodesk105.top, ''
hostname, 106.kkftodesk106.top, ''
hostname, 107.kkftodesk107.top, ''
hostname, 108.kkftodesk108.top, ''
hostname, 109.kkftodesk109.top, ''
hostname, 110.kkftodesk110.top, ''
hostname, 34.kosdage.asia, ''
url, http://note.youdao.com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae, 'URLs of malicious files on legitimate services'
url, http://note.youdao.com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/DLL2auto.dll, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/DLL.dll, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/DLL2.dll, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/FANGAOtest.dll, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://11-1318622059.cos.ap-nanjing.myqcloud.com/FANGAO.dll, 'URLs of malicious files on legitimate services'
url, http://todesk-1316713808.cos.ap-nanjing.myqcloud.com/DLL.dll, 'URLs of malicious files on legitimate services'
url, http://todesk-1316713808.cos.ap-nanjing.myqcloud.com/DLL2.dll, 'URLs of malicious files on legitimate services'
url, http://todesk-1316713808.cos.ap-nanjing.myqcloud.com/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://mytodesktest-1257538800.cos.ap-nanjing.myqcloud.com/DLL.dll, 'URLs of malicious files on legitimate services'
url, http://yuehai-1316713808.cos.ap-nanjing.myqcloud.com/DLL.dll, 'URLs of malicious files on legitimate services'
url, http://yuehai-1316713808.cos.ap-nanjing.myqcloud.com/FANGAO.dll, 'URLs of malicious files on legitimate services'
url, http://yuehai-1316713808.cos.ap-nanjing.myqcloud.com/before1/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://yuehai-1316713808.cos.ap-nanjing.myqcloud.com/before2/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://526-1316713808.cos.ap-nanjing.myqcloud.com/FANGAO.dll, 'URLs of malicious files on legitimate services'
url, http://526-1316713808.cos.ap-nanjing.myqcloud.com/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://526-1316713808.cos.ap-nanjing.myqcloud.com/DLL2.dll, 'URLs of malicious files on legitimate services'
url, http://526-1316713808.cos.ap-nanjing.myqcloud.com/DLL.dll, 'URLs of malicious files on legitimate services'
url, http://529-1316713808.cos.ap-nanjing.myqcloud.com/BEFORE.dll, 'URLs of malicious files on legitimate services'
url, http://529-1316713808.cos.ap-nanjing.myqcloud.com/DLL2.dll, 'URLs of malicious files on legitimate services'
url, http://529-1316713808.cos.ap-nanjing.myqcloud.com/FANGAO.dll, 'URLs of malicious files on legitimate services'
url, http://530-1316713808.cos.ap-nanjing.myqcloud.com/FANGAO.dll, 'URLs of malicious files on legitimate services'

Full IOCs available in Rectifyq's MISP```