TeamT5 is a leading APT threat intelligence provider in the Asia & Pacific region. In Black Hat Asia 2022, TeamT5 published our analysis of modular backdoor Pangolin8RAT and its associated threat group "Tianwu”. As modular backdoors and shared malwares are becoming key trends in the threat landscape, Silvia Yeh (Threat Intelligence Analyst) and Leon Chang (Threat Intelligence Researcher) from TeamT5 warn the public that previous APT analysis mindset might not be suitable.
In the past, modular malware like PlugX and ShadowPad have been the most popular shared trojans used in Chinese state-sponsored cyber operations. Since mid-2020, TeamT5 has detected a new modular trojan emerging in the APAC region which has the potential to be their successor. The trojan was named "Pangolin8RAT" after "pangolin" and “p8rat" found in its PDB string and RTTI. Pangolin8RAT is modular, as its functionalities can be expanded by downloading DLL from its C2. Its early feature supported 8 communication protocols, including TCP, HTTPS, UDP, DNS, ICMP, HTTPSIPV6, WEB, and SSH.
TeamT5 researchers names the threat group behind Pangolin8RAT as “Tianwu”, a beast with 8 human heads in Chinese mythology. From 2020 to 2021, TeamT5 has observed Tianwu leveraging Pangolin8RAT to snipe at online gaming/gambling industry, transportation, telecom, government, and dissidents in the Asia Pacific region.
In this talk, TeamT5 researchers also explored Tianwu’s connections with the notorious Chinese APT group Amoeba (aka APT41) by illustrating the similarities in the two group’s modular malware structure, TTPs, and target scope.
TeamT5 researchers concluded that modular backdoor has become a trend as it can reduce the cost of malware development by APT groups. For that reason, previous analysis frameworks and categories might not be suitable for future APT attacks. In order to have an overview of the threat landscape, enterprises should defend themselves with all-level intelligence from tactical & operational level to strategic level.
About Black Hat Asia
Black Hat is the world’s leading information security event, and remains the best and biggest event of its kind. It provides attendees with cutting-edge security research, development and trends, and has the ability to define tomorrow’s information security landscape. Black Hat Asia is an Black Hat extended event which is held in Singapore annually.
BlackHatでのトーク：SamsungのRoot of Trustを破壊 - Samsungのセキュアブートへの悪用
vulnerability research , D39, Black Hat, cyber threat intelligence, threat hunting
【Black Hat Asia】TeamT5の研究員がブラックハットアジア（Black Hat Asia）に参加
Black Hat, Mem2Img, CloudDragon, Black Hat Asia, cyber threat intelligence, threat hunting, 威脅情資, 資安情資