After a two-and-a-half-year investigation, Palo Alto Networks Unit 42 has formally named a sophisticated, Chinese nation-state actor: Phantom Taurus. As this advanced adversary poses a significant threat to global organizations, our customers require exceptional protection. To provide customers with the necessary defense against this adversary, this blog will dive into how Palo Alto Networks products provide exceptional effectiveness when it comes to proactive protection, defense, and real-time response capabilities.
Background
Phantom Taurus is a Chinese advanced persistent threat (APT) group that conducts espionage operations. Their focus is on high-value targets, specifically government and telecommunications. What makes Phantom Taurus significant is its unique and sophisticated set of tactics, techniques, and procedures (TTPs). Their operations are defined by stealth, persistence, and adaptability, enabling them to maintain long-term, covert access to critical systems.
A Shift in Tactics and a New Malware Suite: NET-STAR
Phantom Taurus has significantly evolved its tactics, shifting from stealing emails to directly targeting SQL Server databases. They use a script, mssq.bat, to connect to and quickly collect country-specific data, focusing on information related to nations like Afghanistan and Pakistan.
On top of that, Phantom Taurus uses a new, undocumented malware suite in their arsenal called NET-STAR. This sophisticated suite specifically targets Internet Information Services (IIS) web servers, showcasing the group's advanced evasion techniques and deep mastery of the .NET architecture. To learn more about the specific findings around Phantom Taurus from Unit 42, read the blog.
Proactive Defense: How Palo Alto Networks Helps Protect Your Organization
The discovery of Phantom Taurus and its custom NET-STAR malware suite underscores the critical need for a unified, platformized approach to cybersecurity. Palo Alto Networks provides real-time protection and response against known and unknown variants of this actor and its custom tools through the following products:
- Advanced WildFire: Provides rapid, cloud-based analysis and threat intelligence to identify and block new variants of the custom NET-STAR malware.
- Advanced Threat Prevention (ATP): Proactively stops known and unknown exploits, command-and-control (C2) communication, and the complex techniques used by Phantom Taurus on the network level.
- Cortex XDR and Cortex XSIAM: Provide industry-leading prevention, detection, response, and automation capabilities needed to stop Phantom Taurus in real time. The platform is designed to block the initial NET-STAR malware loader and prevent the entire attack chain from executing.
Cortex XSIAM takes this a step further by offering complete visibility across endpoints, networks, cloud, and identities. By continuously monitoring for abnormal behavior, the platform enables deeper investigation, comprehensive threat hunting, and real-time automated response actions against this highly adaptive threat.
Cortex XDR: Real-Time Prevention
Cortex XDR provided protection against the techniques used by IIServerCore, a fileless web shell backdoor found in the NET-STAR malware suite, long before we formally named the Phantom Taurus adversary. This proactive defense is powered by Cortex XDR's advanced malware protection capabilities, ensuring we stop such threats before attribution is even possible.
- Behavioral Threat Protection: Instead of relying on signatures, Cortex XDR's agent uses Behavioral Threat Protection to monitor for malicious causality chains and system call anomalies. This means that even though IIServerCore is fileless, the platform can detect when the w3wp.exe process (the standard IIS worker process) starts spawning suspicious child processes like cmd.exe or powershell.exe to execute commands. This is a telltale sign of a web shell attack, and Cortex XDR will prevent this behavior.
- Anti-Webshell Protection: Cortex XDR includes a dedicated Anti-Webshell Protection module that actively protects endpoint and web-related application processes from dropping or executing malicious web shells. It can block malicious ASP and ASPX files from being written to the file system and prevent the initial execution of the web shell itself. By stopping the loader, Cortex XDR effectively neutralizes the most critical phase of the intrusion.
Cortex XSIAM: Hunting and Investigating the Unseen
Because Phantom Taurus relies on complex, in-memory, and adaptive techniques, complete visibility across your security ecosystem is non-negotiable. Cortex XSIAM delivers this by leveraging its native XDR prevention and response capabilities, as well as its ability to deliver comprehensive threat hunting, deeper investigation, and automated response actions.
- Unified Visibility for Threat Hunting: XSIAM continuously ingests and normalizes data not just from endpoints, but from your cloud, identity, and network tools. This allows security analysts to proactively hunt for the sophisticated, multi-stage TTPs of Phantom Taurus, using XQL (Cortex Query Language), such as the sequence of a web shell loader leading to an in-memory database query, across the entire environment. Use pre-built queries, such as the IIS running discovery commands query, that baseline normal web server behavior and then look for outliers, such as w3wp.exe launching an unusual child process for the first time on an internet-facing server.
- Accelerated Investigation: If an adversary attempts to pivot or use novel methods, XSIAM uses SmartGrouping, which automatically attributes all related behavior in a single incident, with in-depth summaries and added context, natively in the product. This reduces the time needed to understand the full scope of a compromise, identify the root cause, and see which critical systems were targeted by the data theft scripts.
- Uncovering Evasion: By combining detection data from Cortex XDR with analytics across your security ecosystem, Cortex XSIAM helps security teams uncover activity like AMSI and ETW bypass attempts (used by AssemblyExecuter V2) that might otherwise be masked by the threat actor's heavy use of timestomping and custom encryption.
- Automated Remediation: XSIAM includes various automation playbooks, such as the Cortex Response And Remediation pack, for different analytics alerts triggered by Phantom Taurus APT activity. This collection of playbooks are designed to streamline incident response and remediation processes by leveraging detector logic to provide highly accurate and context-aware responses.
Next Steps for Your Security Team
Phantom Taurus is a serious, sophisticated adversary, but the Cortex platform is designed to defeat precisely this kind of advanced threat.
- Validate Cortex XDR: Ensure your Cortex XDR agents are deployed across all endpoints to immediately leverage the updated protections against the NET-STAR suite.
- Harden Your Environment: Use Cortex XSIAM's rich data to proactively hunt for any lateral movement or early-stage TTPs related to Phantom Taurus.
- Advanced Protection Confirmation: Confirm that Advanced WildFire and Advanced Threat Prevention services are enabled, as they have been updated with the latest intelligence to provide continuous, real-time protection against known and unknown variants of this malware.
Stay ahead of the threat. Stay with Cortex.
Register for the Unit 42 Webinar “UNMASKED: Inside a New Chinese Nexus APT”
See how Cortex can transform your security operations today. Request a personalized demo.