{"id":24625,"date":"2024-06-05T03:21:03","date_gmt":"2024-06-05T11:21:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/06\/05\/news-18355\/"},"modified":"2024-06-05T03:21:03","modified_gmt":"2024-06-05T11:21:03","slug":"news-18355","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/06\/05\/news-18355\/","title":{"rendered":"Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government"},"content":{"rendered":"<p><strong>Credit to Author: gallagherseanm| Date: Wed, 05 Jun 2024 10:00:34 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>In May 2023, in a threat hunt across Sophos Managed Detection and Response telemetry, Sophos MDR\u2019s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed \u201cCrimson Palace\u201d targeting a high-profile government organization in Southeast Asia.<\/p>\n<p>MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component. In the investigation that followed, we tracked at least three clusters of intrusion activity from March 2023 to December 2023. The hunt also uncovered previously unreported malware associated with the threat clusters, as well as a new, improved variant of <a href=\"https:\/\/www.elastic.co\/security-labs\/introducing-the-ref5961-intrusion-set\">the previously-reported EAGERBEE<\/a> malware. In line with our standard internal nomenclature, Sophos tracks these clusters as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305).<\/p>\n<p>While our visibility into the targeted network was limited due to the extent to which Sophos endpoint protection had been deployed within the organization, our investigations also found evidence of related earlier intrusion activity dating back to early 2022. This led us to suspect the threat actors had long-standing access to unmanaged assets within the network.<\/p>\n<p>The clusters \u00a0were observed using tools and infrastructure that overlap with other researchers\u2019 public reporting on Chinese threat actors \u00a0<a href=\"https:\/\/www.welivesecurity.com\/2021\/06\/10\/backdoordiplomacy-upgrading-quarian-turian\/\" target=\"_blank\" rel=\"noopener\">BackdoorDiplomacy<\/a>, <a href=\"https:\/\/www.elastic.co\/security-labs\/introducing-the-ref5961-intrusion-set\" target=\"_blank\" rel=\"noopener\">REF5961<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2022\/09\/06\/worok-big-picture\/\" target=\"_blank\" rel=\"noopener\">Worok<\/a>, <a href=\"https:\/\/securelist.com\/targeted-attack-on-industrial-enterprises-and-public-institutions\/107054\/\" target=\"_blank\" rel=\"noopener\">TA428<\/a>, the <a href=\"https:\/\/www.bitdefender.com\/blog\/businessinsights\/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea\/\" target=\"_blank\" rel=\"noopener\">recently-designated Unfading Sea Haze<\/a> and the APT41 subgroup <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\" target=\"_blank\" rel=\"noopener\">Earth Longzhi<\/a>. Additionally, Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.<\/p>\n<p>Based on our investigation, Sophos asserts with high confidence the overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests. This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and control (C2) communications. We have moderate confidence that these activity clusters were part of a coordinated campaign under the direction of a single organization. Sophos is sharing indicators and context for the Crimson Palace campaign in hopes of contributing to further public research and helping other defenders and analysts disrupt related activity.<\/p>\n<figure id=\"attachment_955536\" aria-describedby=\"caption-attachment-955536\" style=\"width: 900px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/venn-updated-co.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-955536 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/venn-updated-co.jpg\" alt=\"\" width=\"900\" height=\"791\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/venn-updated-co.jpg 900w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/venn-updated-co.jpg?resize=300,264 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/venn-updated-co.jpg?resize=768,675 768w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><figcaption id=\"caption-attachment-955536\" class=\"wp-caption-text\">Figure 1. Venn diagram showing distinction and overlap of the three security threat clusters uncovered during the Crimson Palace investigation, including connections to previously known threat actor groups.<\/figcaption><\/figure>\n<p>Sophos has repeatedly shared the details of the intrusion with authorized contacts for the targeted organization. Sophos MDR continues to closely monitor this environment to report the scope and scale of the ongoing activity to the victim organization, as well as collect intelligence to track attack tactics and generate updated detections for all Sophos customers. Sophos has also shared intelligence from this campaign with government and industry partners, including <a href=\"https:\/\/www.elastic.co\/security-labs\/introducing-the-ref5961-intrusion-set\">Elastic Security<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_za\/research\/23\/e\/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\">Trend Micro<\/a> who have previously reported on similar threats.<\/p>\n<p>Key findings of our investigation included:<\/p>\n<ul>\n<li><strong>Novel malware variants:<\/strong> Sophos identified the use of previously unreported malware we call CCoreDoor (concurrently discovered by <a href=\"https:\/\/www.bitdefender.com\/blog\/businessinsights\/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea\/\">BitDefender<\/a>) and PocoProxy, as well as an updated variant of EAGERBEE malware with new capabilities to blackhole communications to anti-virus (AV) vendor domains in the targeted organization\u2019s network. Other observed malware variants include NUPAKAGE, Merlin C2 Agent, Cobalt Strike, PhantomNet backdoor, RUDEBIRD malware, and the PowHeartBeat backdoor.<\/li>\n<li><strong>Extensive dynamic link library (DLL) sideloading abusing Windows and anti-virus binaries: <\/strong>The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.<\/li>\n<li><strong>High prioritization of evasive tactics and tools: <\/strong>The threat actors leveraged many novel evasion techniques, such as overwriting <strong>dll <\/strong>in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads.<\/li>\n<li><strong>Three distinct clusters with overlaps indicating coordination:<\/strong> While Sophos identified three distinct patterns of behavior, the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and\/or coordination between the clusters in the environment.<\/li>\n<\/ul>\n<p>Because of the amount of intelligence uncovered in our investigation into this campaign, we have divided our report in two. This article provides an overview of the campaign and highlights the overlap of the observed activity clusters and the malware unique to them. Full technical analysis of the activity clusters is provided in a technical appendix, also published today. We have provided links from within this article to relevant portions of the detailed analysis <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/\">in that article<\/a>.<\/p>\n<h2>Prior Compromise<\/h2>\n<p>The targeted organization is categorized by Sophos as a \u201cmixed estate,\u201d meaning Sophos Managed Detection and Response (MDR) and Extended Detection and Response (XDR) coverage are only deployed to a subset of endpoints. Because of this, the Sophos team lacks complete visibility over all assets in the environment, leading us to assess the full extent of the compromise likely extends beyond Sophos-protected endpoints and servers.<\/p>\n<p>While initial access occurred outside Sophos\u2019 visibility into the organization, we observed related activity dating back to early 2022. That included a March 2022 detection of NUPAKAGE malware (<strong>Troj\/Steal-BLP),<\/strong> a customized tool used for exfiltration that has been <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/23\/c\/earth-preta-updated-stealthy-strategies.html\">publicly attributed by Trend Micro<\/a> to the Chinese threat group Earth Preta (aka Mustang Panda).<\/p>\n<p>The organization later enrolled a subset of their endpoints with Sophos\u2019 MDR service. Detections of suspicious activity prompted the MDR Operations team to investigate the organization\u2019s estate. This included a December 2022 investigation into intrusion activity where DLL-stitching was used to obfuscate and deploy two malicious backdoors on target domain controllers. At that time, the detections <strong>Troj\/Backdr-NX<\/strong> and <strong>ATK\/Stowaway-C<\/strong> were deployed across Sophos customers to detect the stitched DLL payloads, and a behavioral detection was created to detect when a service DLL is added to the Windows registry.<\/p>\n<p><span style=\"font-size: 1em\">A deeper analysis of these previous compromises can be found <\/span><a style=\"font-size: 1em\" href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#prior-compromise\">here.<\/a><\/p>\n<h2>Analysis of Activity Clusters<\/h2>\n<p>The threat hunt that identified the activity clusters covered in this report began in May 2023. During the investigation, Sophos analysts identified several patterns indicating distinct clusters of behavior were operating in the network during the same period. These included:<\/p>\n<ul>\n<li>Authentication data, including source subnet, workstation hostname, and account usage<\/li>\n<li>Techniques, including specific commands and options, repeatedly used by the attackers<\/li>\n<li>Attacker C2 infrastructure<\/li>\n<li>Unique tools and the paths where they were deployed<\/li>\n<li>Targeted user accounts and hosts<\/li>\n<li>Timing of the observed activity<\/li>\n<\/ul>\n<p>Based on these patterns, we assess with moderate confidence that the espionage campaign consisted of at least three activity clusters with separate sets of infrastructure and TTPs coexisting in the target organization\u2019s network from at least March to September 2023.<\/p>\n<p><span style=\"font-size: 1em\">For more information on the attack chains of the observed clusters and details on the novel tactics and tooling, refer to the <\/span><a style=\"font-size: 1em\" href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/\">attack chain details report<\/a><span style=\"font-size: 1em\">.<\/span><\/p>\n<h3>Cluster Alpha (STAC1248)<\/h3>\n<p>We observed Cluster Alpha activity from early March to at least August 2023. That activity included multiple sideloading attempts to deploy various malware and establish persistent C2 channels within client and server subnets. Throughout this activity, we observed mutations of successful tactics that resulted in the same outcome, indicating the threat actors may have been leveraging the victim network as a playground to test different techniques. In addition to using unique techniques to disable AV protections and escalate privileges, the actor operating in Cluster Alpha prioritized comprehensively mapping server subnets, enumerating administrator accounts, and conducting reconnaissance on Active Directory infrastructure.<\/p>\n<p><strong>Key observations<\/strong><\/p>\n<ul>\n<li>Deployment of new <a href=\"https:\/\/www.elastic.co\/security-labs\/introducing-the-ref5961-intrusion-set\">EAGERBEE malware<\/a> variants with updated capability of modifying packets to disrupt security agent network communications<\/li>\n<li>Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor<\/li>\n<li>Leverage of uncommon LOLBins <strong>exe <\/strong>and<strong> srvany.exe<\/strong> for service persistence with elevated SYSTEM privileges<\/li>\n<li>Side-loading of eight unique DLLs abusing Windows Services, legitimate Microsoft binaries, and endpoint protection vendors\u2019 software<\/li>\n<\/ul>\n<figure id=\"attachment_955394\" aria-describedby=\"caption-attachment-955394\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955394\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg\" alt=\"A timeline of activity from March 2023 to August 2023 of Cluster Alpha (STAC1248) within the targeted network.\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide4.jpeg?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955394\" class=\"wp-caption-text\">Figure 2: A timeline of STAC1248\u2019s observed activity.<\/figcaption><\/figure>\n<p>A further analysis of Cluster Alpha can be found <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-alpha\">here<\/a>.<\/p>\n<h3>Cluster Bravo (STAC1807)<\/h3>\n<p>While the activity in the other two clusters spanned over several months, activity in Cluster Bravo was only observed in the targeted organization&#8217;s environment for a three-week span in March 2023 (coinciding with the first session of China\u2019s 14<sup>th<\/sup> National People\u2019s Congress). Characterized as a mini cluster because of its short duration, Cluster Bravo activity was primarily focused on using valid accounts to spread laterally throughout the network, with the goal of sideloading a novel backdoor to establish C2 communications and maintain persistence on target servers.<\/p>\n<p>Key observed behavior included:<\/p>\n<ul>\n<li>Deployment of a previously unreported backdoor (which we have dubbed CCoreDoor) to move laterally, establish external C2 communications, perform discovery, and dump credentials<\/li>\n<li>Use of renamed versions of a signed side-loadable binary (<strong>exe<\/strong>) to obfuscate backdoor deployment and move laterally from the beachhead host to other remote servers<\/li>\n<li>Connections made to other hosts that were verified to be running within other in-country government organizations who may also be potentially compromised<\/li>\n<li>Overwriting of<strong>\u00a0ntdll.dll<\/strong> in memory with an on-disk version to unhook the Sophos endpoint protection agent process from the kernel<\/li>\n<\/ul>\n<figure id=\"attachment_955393\" aria-describedby=\"caption-attachment-955393\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955393\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg\" alt=\"Figure 3: A timeline of STAC1807\u2019s observed activity during 3 weeks of March 2023\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide5.jpeg?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955393\" class=\"wp-caption-text\">Figure 3: A timeline of STAC1807\u2019s observed activity.<\/figcaption><\/figure>\n<p>Further details on Cluster Bravo can be found <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-bravo\">here<\/a>.<\/p>\n<h3>Cluster Charlie (STAC1305)<\/h3>\n<p>Sophos MDR hunters observed Cluster Charlie activity in the target network for the longest period, with operations spanning from March to at least April 2024. Appearing to highly prioritize access management, the actor deployed multiple implants of a previously unidentified malware, dubbed PocoProxy, to establish persistence on target systems and rotate to new external C2 infrastructure.<\/p>\n<p>In a day in June 2023, activity in Cluster Charlie spiked as the actors conducted some of their noisiest discoveries, including mass analysis of Event Logs for environment-wide user and network reconnaissance. The output of this reconnaissance was used to conduct automated ping sweeps over the network, with the suspected goal of mapping all users and endpoints in the network. Notably, this day was a holiday in the target organization\u2019s country, suggesting the threat actor was saving their most overt activity for a day with a lower expected response time. While discovery and lateral movement efforts continued over the next several months, Cluster Charlie activity was later observed attempting to exfiltrate sensitive information, which based on the file names involved and data collected, we assess with high confidence was for espionage purposes.<\/p>\n<p><strong>Key observed behavior included:<\/strong><\/p>\n<ul>\n<li>Deployment of several samples of a previously unreported malware (which we call PocoProxy) for persistent C2 communications<\/li>\n<li>Collection and exfiltration of a large volume of data, including sensitive military and political documents, data on infrastructure architecture, and credentials\/tokens for further in-depth access<\/li>\n<li>Deployment of a custom malware loader called HUI loader to inject a Cobalt Strike Beacon into mstsc.exe, which was blocked by Sophos HMPA protections<\/li>\n<li>Injection of an LSASS logon credential interceptor into <strong>exe<\/strong> to capture credentials on domain controllers<\/li>\n<li>Execution of <strong>wevtutil <\/strong>commands to conduct specific user reconnaissance, using the output to launch automated ping sweeps against thousands of targets across the network<\/li>\n<\/ul>\n<figure id=\"attachment_955392\" aria-describedby=\"caption-attachment-955392\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955392\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg\" alt=\"\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide6.jpeg?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955392\" class=\"wp-caption-text\">Figure 4: A timeline of STAC1305\u2019s observed activity.<\/figcaption><\/figure>\n<div class=\"mceTemp\"><\/div>\n<p>Further details on Cluster Charlie can be found <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-charlie\">here<\/a>.<\/p>\n<h2>Attribution and Cluster Overlap<\/h2>\n<p>Based on combined aspects of victimology, temporal analysis, infrastructure, tooling, and actions on objectives, we assess with high confidence the observed activity clusters are associated with Chinese state-sponsored operations.<\/p>\n<p>In addition to the timing of activity in the clusters aligning with standard Chinese working hours, several observed TTPs overlap with industry reporting on Chinese-nexus actors. Furthermore, the target network is a high-profile government organization in a Southeast Asian country known to have repeated conflict with China over territory in the South China Sea. We assess the goal behind this campaign is long-term espionage, evidenced by the three clusters creating redundant C2 channels across the network to ensure persistent access and collect information related to Chinese state interests.<\/p>\n<h3>Consistent Chinese Operating Hours<\/h3>\n<p>According to our analysis of activity frequency, activity in the clusters primarily occurred between 00:00 and 09:00 Coordinated Universal Time (UTC) Monday through Friday, equal to typical Chinese working hours of 8am to 5pm China Standard Time (CST).<\/p>\n<figure id=\"attachment_955412\" aria-describedby=\"caption-attachment-955412\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955412\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png\" alt=\"Figure 5: Heatmap of overall activity shows that activities match normal working hours on China Standard Time.\" width=\"640\" height=\"206\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png 1401w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png?resize=300,96 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png?resize=768,247 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-overall-activity.png?resize=1024,329 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955412\" class=\"wp-caption-text\">Figure 5: Heatmap of overall activity<\/figcaption><\/figure>\n<h3>Analyzing the Clusters\u2019 Operating Schedules<\/h3>\n<p>Temporal analysis of the individual activity clusters revealed distinct variations in the timing of their operations, where they were rarely observed performing extensive actions on the same day.<\/p>\n<p>In fact, the clusters appear to schedule activity around one another, lending evidence the threat actors in the clusters may be aware of the others\u2019 activities. At some points, Cluster Alpha and Cluster Charlie activity appeared to alternate by day, such as when activity in Cluster Alpha paused from June 10 to June 13 as Cluster Charlie\u2019s spike of activity occurred on June 12.<\/p>\n<figure id=\"attachment_955408\" aria-describedby=\"caption-attachment-955408\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-955408 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png\" alt=\"Figure 6: Gantt Chart of Cluster Activity by Day shows that clusters never operated at same time, as if scheduled blocks.\" width=\"640\" height=\"274\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png 1401w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png?resize=300,128 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png?resize=768,329 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Gantt-Chart-of-Cluster-Activity-by-Day.png?resize=1024,439 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955408\" class=\"wp-caption-text\">Figure 6: Gantt Chart of Cluster Activity by Day<\/figcaption><\/figure>\n<p>In analyzing the time and days of the week the clusters were most active, we noticed similar distinctions:<\/p>\n<ul>\n<li><strong>Cluster Alpha activity: <\/strong>Often occurred on weekdays within the traditional working hours of 8am to 5pm CST; Peaked on Friday.<\/li>\n<li><strong>Cluster Bravo activity:<\/strong> Occurred within traditional working hours of 8am to 5pm CST, but was concentrated on Tuesday, Wednesday, and Thursday.<\/li>\n<li><strong>Cluster Charlie activity:<\/strong> Varied the most outside standard working hours; Activity peaked Monday through Wednesday 12pm to 6pm CST.\n<ul>\n<li>The concentration of Cluster Charlie activity on Monday from 3pm to 12am CST aligns with the cluster\u2019s spike of activity on June 12, 2023, which was a Monday and a holiday in the victim organization\u2019s country.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_955409\" aria-describedby=\"caption-attachment-955409\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955409\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png\" alt=\"Figure 7: Heatmap of Cluster Alpha activity by day of the week\" width=\"640\" height=\"274\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png 1050w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png?resize=300,129 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png?resize=768,329 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Alpha-activity-by-day-of-the-week.png?resize=1024,439 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955409\" class=\"wp-caption-text\">Figure 7: Heatmap of Cluster Alpha activity by day of the week<\/figcaption><\/figure>\n<figure id=\"attachment_955410\" aria-describedby=\"caption-attachment-955410\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955410\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png\" alt=\"Figure 8: Heatmap of Cluster Bravo activity by day of the week\" width=\"640\" height=\"274\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png 1050w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png?resize=300,129 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png?resize=768,329 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Bravo-activity-by-day-of-the-week.png?resize=1024,439 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955410\" class=\"wp-caption-text\">Figure 8: Heatmap of Cluster Bravo activity by day of the week<\/figcaption><\/figure>\n<figure id=\"attachment_955411\" aria-describedby=\"caption-attachment-955411\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955411\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png\" alt=\"Figure 9: Heatmap of Cluster Charlie activity by day of the week\" width=\"640\" height=\"274\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png 1050w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png?resize=300,129 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png?resize=768,329 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Heatmap-of-Cluster-Charlie-activity-by-day-of-the-week.png?resize=1024,439 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955411\" class=\"wp-caption-text\">Figure 9: Heatmap of Cluster Charlie activity by day of the week<\/figcaption><\/figure>\n<h2>Attributing Clustered Activity<\/h2>\n<p>While Sophos MDR asserts with high confidence the observed threat clusters are associated with Chinese state-sponsored activity, we are refraining from making attributions to known threat actor groups at this time. \u00a0One reason is that Chinese threat groups are commonly known to share infrastructure and tooling, making attribution more challenging. \u00a0We have, however, identified areas of overlap between our specific observations and third-party reporting to add context to the activity.<\/p>\n<h3>Cluster Alpha<\/h3>\n<figure id=\"attachment_955386\" aria-describedby=\"caption-attachment-955386\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955386\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg\" alt=\"Figure 10: Cluster Alpha overlaps with several threat actors reported by different vendors\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/Slide1.jpeg?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-955386\" class=\"wp-caption-text\">Figure 10: Cluster Alpha overlaps with several threat actors reported by different vendors threat clusters uncovered during the Crimson Palace investigation, including connections to previously known threat actor groups.<\/figcaption><\/figure>\n<h4>REF5961 Similarities<\/h4>\n<p>Three malware variants used in Cluster Alpha overlap with malware detailed in an October 2023 report by <a href=\"https:\/\/www.elastic.co\/security-labs\/introducing-the-ref5961-intrusion-set\">Elastic Security Labs<\/a> on a Chinese-nexus actor tracked as REF5961. In the article, Elastic details REF5961\u2019s use of EAGERBEE, RUDEBIRD, and DOWNTOWN (PhantomNet) malware to target the Foreign Affairs Ministry of an Association of Southeast Asian Nations (ASEAN) member. Additionally, malware deployed in Cluster Alpha was observed connecting to several C2 IP addresses linked to REF5961.<\/p>\n<h4>BackdoorDiplomacy Similarities<\/h4>\n<p>Cluster Alpha activity also aligns with a case study by <a href=\"https:\/\/www.bitdefender.com\/files\/News\/CaseStudies\/study\/426\/Bitdefender-PR-Whitepaper-BackdoorDiplomacy-creat6507-en-EN.pdf\">BitDefender<\/a> on a cyberespionage campaign in the Middle East by a Chinese threat actor tracked as BackdoorDiplomacy, which is <a href=\"https:\/\/unit42.paloaltonetworks.com\/playful-taurus\/\">noted<\/a> to overlap with other reported threat groups such as APT15, Playful Taurus, Vixen Panda, NICKEL, and Ke3chang.<\/p>\n<p>Sophos MDR hunters observed the same sideloading chains described in the BitDefender report to deploy a Merlin C2 Agent and a suspected loader for the Quarian backdoor. Due to Sophos Endpoint controls, the malicious payload was deleted before execution; however, the similarity in sideloading procedures suggests a connection between Cluster Alpha and previous BackdoorDiplomacy campaigns.<\/p>\n<p>Notably, Sophos Labs documented similarities between the RUDEBIRD malware tracked by Elastic and the Impersoni-Fake-Ator malware detailed by BitDefender, suggesting a potential connection between the REF5961 intrusion set and the Backdoor Diplomacy actor. While this is a noteworthy relation, we acknowledge additional observations and samples are needed to confirm the nature of the overlap between these two reported actors with higher confidence.<\/p>\n<h4>Worok and TA428 Similarities<\/h4>\n<p>In addition, the PowHeartBeat backdoor used in Cluster Alpha has been reported by <a href=\"https:\/\/www.welivesecurity.com\/2022\/09\/06\/worok-big-picture\/\">ESET<\/a> to be attributed to the Worok cyberespionage group, which is noted to have possible ties to the Chinese APT TA428. Further bolstering the connection, the DOWNTOWN (PhantomNet) malware used in Cluster Alpha was also attributed to TA428 by Elastic, and Sophos observed the PhantomNet backdoor implant (<strong>sslwnd64.exe<\/strong>) shortly after <a href=\"https:\/\/twitter.com\/GroupIB_TI\/status\/1666103950896947201\">Group-IB Threat Intelligence<\/a> linked the sample to suspected TA428 activity.<\/p>\n<h3>Cluster Bravo<\/h3>\n<p>The CCoreDoor backdoor used in Cluster Bravo activity bears striking similarity to <a href=\"https:\/\/www.bitdefender.com\/blog\/businessinsights\/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea\/\">EtherealGh0st<\/a>, detailed in a May 2024 report from BitDefender. EtherealGh0st is associated with a Chinese-nexus actor tracked by BitDefender as Unfading Sea Haze. The malware overlaps with CCoreDoor in its use of the CCore Library and the use of StartWorkThread to decrypt the C2 hostname and port, as well as in the commands the backdoor accepts. There is also domain overlap in the use of the C2 domain message.ooguy[.]com\u2014Sophos MDR observed this C2 communicating with the CCoreDoor backdoor, and BitDefender reports that the domain is referenced in the EtherealGh0st sample they collected.<\/p>\n<p>Additionally, BitDefender reported the first use of EtheralGh0st around mid-March 2023, which aligns with our timeline: CCoreDoor was first seen being deployed on March 14, 2023. There is also a similarity in victimology, as Unfading Sea Haze is reported to target government and military organizations from countries in the South China Sea.<\/p>\n<h3>Cluster Charlie<\/h3>\n<h4>Earth Longzhi Similarities (APT41)<\/h4>\n<p>Though the actor operating in Cluster Charlie used a previously unreported malware family, their C2 infrastructure overlaps with reporting by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\">Trend Micro<\/a> on a group tracked as Earth Longzhi, which is a reported Chinese subgroup of APT41.<\/p>\n<p>Sophos observed the PocoProxy sample <strong>443.txt<\/strong> communicating with known Earth Longzhi C2 IP <strong>198.13.47[.]158<\/strong> about a month prior to Trend Micro mentioning that IP address in their report. Other infrastructure leveraged in Cluster Charlie aligns with Earth Longzhi\u2019s previous infrastructure patterns as well \u2013 specifically the use of variations on the <strong>speedtest[.]com<\/strong> domain. In this intrusion, we have observed the use of both <strong>googlespeedtest33[.]com<\/strong> and <strong>&lt;victim name&gt;speedtest[.]com<\/strong>. Similarly, two separate Trend Micro reports (, ) have detailed Earth Longzhi registering <strong>speedtest[.]com<\/strong> C2 domains with a similar format (<strong>vietsovspeedtest[.]com<\/strong> and <strong>evnpowerspeedtest[.]com<\/strong>).<\/p>\n<h3>Cluster Overlap<\/h3>\n<p>While the evidence portrays three distinct sets of TTPs operating at separate times with custom tooling, there are also notable overlaps between them. For example, there were some instances of the clusters using the same credentials, such as the actors in Cluster Alpha and Cluster Bravo using the same insecure administrator account (which was also compromised in an internal penetration test) to perform actions on different systems.<\/p>\n<p>Additionally, while the clusters were active on different endpoints, they did target multiple of the same primary servers and domain controllers. However, they were rarely active on the same server on the same day, and as detailed previously, temporal analysis of the clusters\u2019 activity indicates a correlating dynamic in the timing of their operations.<\/p>\n<h3>Analyzing the Overlap<\/h3>\n<p>In our analysis of the clusters and the relations between them, we found ourselves in a comparable situation to \u00a0<a href=\"https:\/\/www.cybereason.com\/blog\/research\/deadringer-exposing-chinese-threat-actors-targeting-major-telcos#note-cti-attribution\">Cybereason\u2019s<\/a> Nocturnus Team, who conducted a comparable clustering effort in 2021 focused on Chinese targeting of telecommunication companies. As mentioned, there can be many challenges in determining the nature of overlaps between clusters, and there are always \u201cwhat ifs?\u201d that play into identifying what is going on behind the intrusion activity in a network.<\/p>\n<p>In this case, the activity clusters were observed in the same organization, during the same time frame, and even on the same endpoints. As a result, determining \u201cwho did what\u201d can be a challenging task. The analysis becomes even more complex when considering Chinese state-sponsored threat groups are commonly known to <a href=\"https:\/\/www.mandiant.com\/sites\/default\/files\/2021-09\/rpt-malware-supply-chain.pdf\">share infrastructure and tooling<\/a>.<\/p>\n<p>While the clusters exhibit distinct patterns of behavior, the delineations in the timing of the clusters\u2019 operations, the overlaps in compromised infrastructure, and similarities in their objectives suggest a connection between them. However, since we cannot determine with high confidence what is going on behind the scenes, we offer two plausible hypotheses that could explain the dynamic between the observed clusters:<\/p>\n<ol>\n<li>The observed clusters reflect the operations of two or more distinct actors working in tandem with shared objectives<\/li>\n<li>The observed clusters reflect the work of a single group with a large array of tools, diverse infrastructure, and multiple operators<\/li>\n<\/ol>\n<p>Currently, most of our evidence points to the first hypothesis being the most likely based on the level of coordination we have observed; however, we acknowledge more information is needed to confirm that assessment with higher confidence. These may evolve as our intelligence collection continues and new evidence emerges that may provide further insight into the identities and relations of the observed clusters.<\/p>\n<h2>Conclusions<\/h2>\n<p>Based on our analysis, we assess with moderate confidence that multiple distinct Chinese state-sponsored actors have been active in this high-profile Southeast Asian government organization since at least March 2022. Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests.<\/p>\n<p>While this report is focused on Crimson Palace activity through August of 2023, we continue to observe related intrusion activity targeting this organization. Following our actions to block the actors\u2019 C2 implants in August, the threat actors went quiet for a several week period. Cluster Alpha\u2019s last active known implant ceased C2 communications in August 2023, and we have not seen the cluster of activity re-emerge in the victim network. However, the same cannot be said for Cluster Charlie.<\/p>\n<p>After a few weeks of dormancy, we observed the actors in Cluster Charlie re-penetrate the network via a web shell and resume their activity at a higher tempo and in a more evasive manner. They began performing actions on objectives within the network, including exfiltration efforts in November [link to section in second post]. Additionally, instead of leaving their implants on disks for long periods of time, the actors used different instances of their web shell to re-penetrate the network for their sessions and began to modulate different C2 channels and methods of deploying implants on target systems.<\/p>\n<p>Sophos MDR threat hunters continue to monitor and investigate intrusion activity in this network, and we continue to share intelligence with the community.<\/p>\n<p>This cyberespionage campaign was uncovered through Sophos MDR\u2019s human-led threat hunting service, which plays a critical role in proactively identifying threat activity. In addition to augmenting MDR operations, the MDR threat hunting service feeds into our SophosLabs pipeline to provide enriched protection and detections.<\/p>\n<p>The investigation into the campaign demonstrates the importance of an efficient intelligence cycle, outlining how a threat hunt spawned from a raised detection can generate intelligence to develop new detections and jumpstart additional hunts.<\/p>\n<p>Acknowledgements:<\/p>\n<p>Sophos X-Ops acknowledges the contributions of Colin Cowie, Jordon Olness, Hunter Neal, Andrew Jaeger, Pavle Culum, Kostas Tsialemis, and Daniel Souter of Sophos Managed Detection and Response, and Gabor Szappanos, Andrew Ludgate, and Steeve Gaudreault of SophosLabs to this report.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/shutterstock_601044416.jpg\"\/><\/p>\n<p><strong>Credit to Author: gallagherseanm| Date: Wed, 05 Jun 2024 10:00:34 +0000<\/strong><\/p>\n<p>Threat clusters targeted a government agency for cyberespionage in a campaign that had precursors dating back to early 2022.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[31504,402,31505,31506,129,31507,31508,31509,12750,16771,31510],"class_list":["post-24625","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-backdoordiplomacy","tag-china","tag-eagerbee","tag-earth-longzhi","tag-featured","tag-rudebird","tag-state-actors","tag-ta428","tag-threat-hunting","tag-threat-research","tag-worok"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24625"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24625\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}