05 June 2024NewsroomCyber ​​Espionage / Threat Intelligence

Cyber ​​espionage

An unnamed high-profile government organization in Southeast Asia has emerged as the target of a “sophisticated, long-running” Chinese state-sponsored cyber espionage operation. Crimson Palace.

“The overall objective behind the campaign was to maintain access to the target’s network for cyber espionage in support of Chinese state interests,” Sophos researchers Paul Jaramillo, Morgan Dembowski, Sean Gallagher, and Mark Parsons said. said In a joint report with The Hacker News.

“This includes accessing critical IT systems, spying on specific users, collecting sensitive military and technical information, and deploying various malware implants for command and control (C2) communications.”

The official organization was not named, but the company said it was aware of the country. Frequent conflict In the area with China South China Searaising the possibility that it could be the Philippines, which has been targeted by Chinese state-sponsored groups such as Mustang Panda in the past.

Cyber ​​security

Contains the Crimson Palace. Three intervention clusterssome of which share a similar strategy, although there is evidence of activity dating back to March 2022 –

  • Cluster Alpha (March 2023 – August 2023), which shows some similarity with actors. Backdoor diplomacy, REF5961, WorkAnd TA428
  • Cluster Bravo (March 2023), with which it has commonalities. Endless sea mistAnd
  • Cluster Charlie (March 2023 – April 2024), which overlaps with Earth LongziA subgroup within APT41

Sophos surmised that these clusters of overlapping activity were likely part of a coordinated campaign directed by a single organization.

This attack is notable for using undocumented malware such as PocoProxy as well as updated versions. EAGERBEEas with other known malware families New Pakaj, Paw Heartbeat, Road Bird, Downtown (Phantom Net)And EtherealGh0st (aka CCoreDoor).


Other features of the campaign include extensive use of DLL sideloading and unusual tactics to stay under the radar.

“Threat actors leveraged many new evasion techniques, such as overwriting DLLs in memory to remove the Sophos AV agent process from the kernel, abusing AV software for sideloading , and using different techniques to test the most efficient and stealthy ways to execute their payloads,” the researchers said.

Further investigation revealed that while Cluster Alpha focused on mapping server subnets, enumerating administrator accounts, and revising the Active Directory infrastructure, Cluster Bravo corrected for background traffic. Preferred to use accounts and left EtherealGh0st.

Cyber ​​security

The activity associated with Cluster Charlie, which occurred for the longest period of time, involved the use of PocoProxy to establish persistence on compromised systems and the deployment of HUI LoaderA custom loader used by multiple China nexus actors to deliver the Cobalt Strike.

“Observed clusters reflect the actions of two or more different actors working together with common goals,” the researchers noted. “The observed clusters reflect the work of a group with tools, diverse infrastructure, and multiple operators.”

The revelation comes as cybersecurity firm Euroe detailed attacks orchestrated by APT41 actors (aka Brass Typhoon, HOODOO, and Winnti) to target organizations in Italy. Plug X (aka Destroy RAT and Korplug) known as malware. Key plug.

Yorui said. “It supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS, making it a powerful tool in APT41’s cyberattack arsenal.”

It also follows an advisory from the Canadian Center for Cyber ​​Security warning of increasing Chinese state-backed hacking attacks aimed at infiltrating government, critical infrastructure, and research and development sectors. .

“[People’s Republic of China] “Cyber ​​threat activity surpasses other nation-state cyber threats in volume, sophistication and breadth of targeting,” the agency said. saidcalls for the use of compromised small office and home office (SOHO) routers and off-the-ground techniques to avoid detection and execution of cyber threat activity.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link