Researchers have uncovered a long-running cyberespionage operation by a possibly state-run Chinese threat actor against an unidentified high-profile government organization from Southeast Asia. The attackers, who launched multiple intrusion campaigns last year against the same target, used a multitude of known and previously unknown malware tools as well as sophisticated detection evasion techniques.
“The clusters were observed using tools and infrastructure that overlap with other researchers’ public reporting on Chinese threat actors BackdoorDiplomacy, REF5961, Worok, TA428, the recently designated Unfading Sea Haze and the APT41 subgroup Earth Longzhi,” researchers from security firm Sophos said in a report.
“Additionally, Sophos MDR [Managed Detection and Response] has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”
The company observed three clusters of malicious activity inside the same organization between March and December 2023 and found traces of compromise going back to 2022. This means the unnamed government organization that had the Sophos products deployed only on some of its endpoints and servers has been a consistent target for the attackers for a long time.
Three distinct intrusion campaigns could be linked
Earth Longzhi, which has strong overlaps with this activity, was named by Trend Micro in a May report as a subgroup of APT41, one of the longest-running Chinese APTs with its activity dating back to 2007. Several Chinese nationals who are suspected members of APT41 were indicted in the US in 2019 and 2020 and are on the FBI’s most-wanted list.
They are accused of working for a front company called Chengdu 404 Network Technology Company that was performing cyber intrusions, including software supply chain attacks, with the goal of cyber-espionage.
Despite seeing three distinct intrusion campaigns with different timeframes inside the victim’s network, Sophos believes they have strong overlaps and are related, and possibly coordinated by a single organization. The company dubbed this operation Crimson Palace.
“Based on our investigation, Sophos asserts with high confidence the overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests,” the researchers said.
“This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.”
DLL sideloading as a detection evasion technique
The attackers have a strong preference for using DLL sideloading or hijacking to load their payloads into memory by legitimate and possibly whitelisted processes. This technique abuses the library search order performed by the Windows API when an executable tries to load a dynamic link library (DLL) without specifying its absolute path. The system will look for it in certain directories, including the current directory from where the executable has been started.
What attackers usually do to exploit this is find legitimate executable files that search for a particularly named DLL and then deploy that file on a victim endpoint together with their malicious payload using that DLL name. In other cases, if they target a program that’s already present in the system, they place a DLL in a location that they know will be favored in the search order.
Sophos began its investigation after its MDR team detected a DLL sideloading technique that exploited VMNat.exe, a VMware component. However, the attackers used a total of 15 distinct DLL sideloading scenarios in their operations, abusing Windows services, legitimate Microsoft binaries, and even antivirus vendor software.
“The threat actors leveraged many novel evasion techniques, such as overwriting ntdll.dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads,” the researchers said.
Attackers employed an extensive malware toolset
The attackers used several malware payloads that have been documented before in connection with other cyberespionage attacks. These include Mustang Panda’s custom data exfiltration tool NUPAKAGE, the Merlin C2 Agent, the Cobalt Strike penetration testing beacon, the PhantomNet backdoor, the RUDEBIRD malware, and the PowHeartBeat backdoor.
However, the researchers also identified new malware components that had never been documented before at the time. One of them is a backdoor that Sophos has dubbed CCoreDoor which has commands that allow attackers to discover information about their environment, move laterally through the network, dump credentials and establish communications with an external C2 server.
Sophos believes this is the same implant that researchers from security firm Bitdefender called EtheralGh0st in a report in May and which Bitdefender attributed to a new Chinese threat actor it dubbed Unfading Sea Haze. The two companies independently identified the malware being used in Southeast Asia at around the same time in March 2023.
A different cluster of activity in the victim’s network back in June used another new malware implant that Sophos has named PocoProxy. This tool was used to establish persistence on target systems and connect to a new command-and-control infrastructure.
New backdoor variants discovered
Finally, the researchers also observed a new variant of a backdoor called EAGERBEE that was first reported by Elastic Security last year together with RUDEBIRD as being used in the ASEAN region. The variant found by Sophos was updated to modify networking packets in order to disrupt the ability of various endpoint security agents to communicate with the servers of antivirus vendors.
Sophos also released a technical report as well as indicators of compromise for the Crimson Palace campaign. It has been observed before that Chinese APTs share a lot of tooling and even infrastructure with each other, and while a particular group might be tasked to target specific organizations in a certain region, other groups might use the same tools against victims in other countries or regions of interest to the Chinese government.
“While this report is focused on Crimson Palace activity through August of 2023, we continue to observe related intrusion activity targeting this organization,” the researchers said. “Following our actions to block the actors’ C2 implants in August, the threat actors went quiet for a several-week period.”