IslandDreams, also known as APT40, Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp, is a threat actor group that has been linked to China. The group has been associated with a series of malicious activities, including a notable phishing campaign in late August that targeted users in Papua New Guinea. Google's Threat Analysis Group (TAG) has attributed the fourth recent WinRAR attack to this group. The IslandDreams' campaign involved the use of decoy PDF files and was designed to deliver infostealers, further demonstrating the group's sophisticated tactics and strategies.
The IslandDreams campaign utilized several indicators of compromise (IoCs), including FROZENBARENTS and FROZENLAKE, which were discovered on various online platforms. Other IoCs included specific file hashes and IP addresses. Furthermore, the group employed BOXRAT in their campaign, exploiting CVE-2023-38831, a vulnerability that has also been observed being used by other government-backed groups linked to China.
The victims in Papua New Guinea were targeted through phishing emails that contained an attached exploit, a decoy PDF protected by a password, and an .lnk file. The .lnk file was set to load the payload.dll either from a hard-coded IP address or a file sharing site. This multi-pronged approach reflects the group's advanced techniques and adaptability, highlighting the necessity for robust cybersecurity measures against such sophisticated threats.
Description last updated: 2024-05-04T20:30:56.589Z