China-linked APT24 hackers are employing a sophisticated new malware known as BadAudio to conduct persistent cyber espionage campaigns. This advanced downloader, in use for at least three years, allows the group to gain and maintain access to targeted organizations. The group has recently shifted its focus to Taiwan-based entities, utilizing a combination of strategic web compromises and spear-phishing tactics.
APT24 Executes Persistent Campaigns with New BadAudio Malware
APT24, a cyber espionage group believed to be connected to China’s People’s Republic, has been actively using a highly evasive malware dubbed BadAudio. This first-stage downloader, according to Google Cloud security analysts, has been instrumental in enabling the group’s persistent network access over approximately three years. The group’s evolving tactics now include a narrower focus on Taiwan-based organizations, employing a multi-pronged approach that combines supply chain vulnerabilities and targeted phishing.
The emergence of BadAudio signifies an advancement in APT24’s technical repertoire. Since November 2022, the threat actor has compromised over twenty legitimate websites. These sites were weaponized with malicious JavaScript payloads that, upon visitation, redirected users to infrastructure controlled by the attackers. This “watering hole” attack strategy allowed APT24 to cast a wide net while employing advanced techniques to identify and target specific organizations.
Researchers have noted that the deployment methods of the BadAudio malware have consistently evolved, demonstrating the threat actor’s dedication to evading defensive measures. Google Cloud security analysts were able to identify the malware by recognizing patterns consistent with previous APT24 operations. The BadAudio malware functions as a custom-built first-stage downloader, written in C++. Its primary role is to download, decrypt, and execute AES-encrypted payloads obtained from hardcoded command-and-control servers.
In its initial phase, the malware quietly gathers basic system information. This includes details such as the computer’s hostname, the active username, and the system architecture. This collected data is then encrypted and embedded within cookie parameters, which are subsequently sent back to attacker-controlled endpoints. This subtle method of communication, often referred to as “beaconing,” complicates detection by traditional network security monitoring tools, allowing for prolonged and covert access.
Technical Sophistication in APT24’s BadAudio Operations
The technical capabilities of BadAudio demonstrate a high level of sophistication, including the implementation of control flow flattening. This advanced obfuscation technique systematically disrupts the natural logical structure of a program to make reverse engineering and analysis more challenging. The malware typically manifests as a malicious Dynamic Link Library (DLL). It leverages DLL search order hijacking vulnerabilities to gain execution by impersonating legitimate applications.
More recent iterations of the malware have been observed utilizing encrypted archives. These archives contain the BadAudio DLLs along with other script files, such as VBS, BAT, and LNK files. These accompanying files are designed to automate the placement of the malware and establish persistence mechanisms, often by creating entries in legitimate executable startup locations. This ensures that the malware can re-establish itself even after a system reboot.
Upon successful execution, subsequent payloads that are decrypted using hardcoded AES keys have been identified as Cobalt Strike Beacon in several instances. Cobalt Strike is a legitimate penetration testing tool that can be repurposed by malicious actors to gain full remote access and control over compromised networks. This offers APT24 extensive capabilities for lateral movement and data exfiltration within the victim’s environment.
APT24 has recently shown a strategic shift towards more targeted attack methodologies, moving away from indiscriminate, opportunistic campaigns. In particular, supply chain compromises targeting regional digital marketing firms located in Taiwan have enabled the group to execute sophisticated attacks that simultaneously impact multiple organizations. This approach leverages existing trust relationships within business networks to gain initial access.
In addition to supply chain attacks, the group has also employed phishing campaigns that utilize social engineering tactics. These misleading emails often impersonate well-meaning organizations, such as animal rescue groups, to trick recipients into downloading malware directly from attacker-controlled infrastructure. Furthermore, APT24 has been observed abusing legitimate cloud storage platforms, including Google Drive and OneDrive, to distribute their encrypted archives. This demonstrates a willingness to exploit trusted services for their malicious objectives.
Analysts anticipate that APT24 will continue to refine its techniques and adapt its tactics, techniques, and procedures (TTPs) in response to evolving defensive capabilities. Organizations, particularly those in Taiwan, are advised to enhance their threat detection and response strategies and to remain vigilant against sophisticated social engineering endeavors. The ongoing evolution of BadAudio indicates a sustained threat from this China-linked cyber espionage group.