High

Cluster Alpha (STAC1248) was centered on distributing updated 'EAGERBEE' malware versions that might interfere with security agency network connections. It was operational from early March to August 2023. Mapping server subnets and counting administrator accounts through infrastructure reconnaissance on Active Directory was the primary objective. The operation made use of several permanent command and control (C2) channels, such as the PhantomNet backdoor, the Merlin Agent, the RUDEBIRD spyware, and the PowHeartBeat backdoor.

To avoid being discovered, the threat actor used eight different DLLs for DLL side-loading, making use of Windows Services and genuine Microsoft binaries, as well as living-off-the-land binaries (LOLBins) for service persistence with elevated SYSTEM rights.

In March 2023, Cluster Bravo (STAC1807) was operational for a mere three weeks. Its primary focus was on lateral movement and persistence, deploying a backdoor known as 'CCoreDoor' onto the target systems. The backdoor conducted discovery, spilled credentials, and created external C2 communications. To conceal the backdoor deployment and allow for lateral movement, the actor renamed versions of signed side-loadable binaries. They also overwrote ntdll.dll in memory to detach the endpoint protection agent process from the kernel.

During its extended period of activity, which spanned from March 2023 to at least April 2024, Cluster Charlie (SCAT1305) conducted intensive reconnaissance and continuous access management. The actor exploited several instances of malware known as "PocoProxy," which was previously undetected and used for continuous C2 connections. Additionally, they attempted to inject a Cobalt Strike Beacon into mstsc.exe via the HUI loader, but these attempts were unsuccessful.

The threat actor also carried out a mass analysis of Event Logs and automated ping sweeps to map users and endpoints throughout the network, as well as injecting an LSASS login credential interceptor to harvest credentials on domain controllers.

For cyber espionage, the Crimson Palace campaign targeted an agency of a Southeast Asian government. All three clusters worked during the regular Chinese work hours, which are from 8:00 AM to 5:00 PM CST. This suggests a high degree of cooperation because the period was divided into three non-overlapping chunks.

According to researchers, there were instances where malicious activity increased, such as on June 12, 2023, a national holiday in the targeted nation. This was probably done to detect understaffed defenses and conduct operations during a period when systems were not as attentively monitored. The experts were unable to identify the initial access because of visibility issues, but it is estimated that the threat actor has been in the network since at least March 2022 based on the discovery of the Nupakage malware, which is commonly used to exfiltrate data.

Although it is challenging to attribute actions with high certainty or to validate the relationship between the three clusters, the researchers think that the activity they have discovered is the result of different players being assigned different tasks by a central authority to further the interests of the Chinese state.

Cluster Charlie activity was detected after a few weeks of silence, and the adversary attempted to breach the network and resume operations at a higher tempo and in a more evasive manner, according to the researchers, despite blocking the threat actor's C2 implants in August 2023 and no Cluster Alpha activity being detected since.

Impact

• Cyber Espionage
• Information Theft
• Data Exfiltration

Indicators of Compromise

SHA1

• a5059f5a353d7fa5014c0584c7ec18b808c2a02c
• d8a4b7e911bc8d2611caeea3183acede65a9eeb7
• eeab6782b7418c03602419fc74b5975a9054a22d
• aeed35a4d6a958a159934a7067b342b1d26630bc
• 82c1da367f448b33445a18f557224b3e695b64f1
• ed581c15b9afb0d946a977f8aa3361d03c2ec585

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.