China’s OP-512 Espionage Cluster Targets IIS Servers with Sophisticated Tactics
A recently highlighted Chinese-linked threat cluster, designated OP-512, has been detected using a custom-built web shell framework to compromise Internet Information Services (IIS) servers. This espionage operation, identified by cybersecurity firm ReliaQuest, aims specifically at environments running Windows Server 2016 with an outdated .NET Framework 4.0, which has already reached the end of its support lifecycle.
Telemetric evidence indicates that the threat actors established their presence approximately 75 days before initiating the primary intrusion. This long-term access strategy points to a methodical approach aligned with state-sponsored activities aimed at maintaining persistent network access for espionage purposes.
Upon re-entry into the compromised system, OP-512 quickly established dual command channels, deployed three web shells, and introduced privilege escalation utilities that operated directly in memory, thereby evading traditional disk-based detection. The web shell framework heavily utilizes a custom .aspx file manager, designed to function as a "fire-and-forget" implant. The shell is programmed to automatically "phone home" by encoding its URL into hex-segmented DNS queries. In instances where the DNS request is unsuccessful, the framework uses an HTTP beacon linked to the Meterpreter infrastructure as a fallback.
Command execution within this framework is governed by two cryptographic handlers — .ashx files — that are produced from a shared builder. This builder incorporates randomness in variable names and embeds extraneous junk codes to guarantee that even files performing identical functions will yield different hashes, making detection more complex for cybersecurity analysts. The command processing necessitates passing through a stringent four-stage pipeline: Base64 decoding, RC4 decryption, RSA signature verification, and eventual execution. Each handler is embedded with a distinct RSA public key, ensuring that when one key is compromised, it does not provide unauthorized access to the others.
OP-512 employs advanced timestomping techniques to maintain stealth. It scrutinizes nearby files, computes a median last-modified timestamp, and backdates its own metadata to merge unobtrusively into the environment. In an additional layer of evasion, whenever endpoint protection mechanisms interrupt the malicious w3wp.exe process during the intrusion, the native auto-restart feature of IIS immediately reloads the in-memory tools, thus rendering standard process-termination methods ineffective.
This cluster marks the fourth instance of China-aligned operations targeting IIS servers in the past year, joining other notable groups such as DragonRank, CL-STA-0048, and GhostRedirector. IIS servers located in Demilitarized Zones (DMZ) are particularly appealing targets due to their position at the network frontier and historically lower scrutiny compared to core infrastructural components.
Interestingly, while both OP-512 and CL-STA-0048 utilize rare hex-encoded subdomain queries for covert communication, their objectives differ significantly. CL-STA-0048 uses this technique primarily for data exfiltration, while OP-512 employs it strictly to report the locations of its deployments. For instance, base64-encoded whoami commands gathered during this incident matched those from a recognized Flax Typhoon compromise, raising questions about overlap between the two entities.
Despite these similarities, ReliaQuest assesses with moderate to high confidence that OP-512 functions as a standalone cluster, distinguished by its unique investment in layered RSA and RC4 authentication protocols.
Indicators of Compromise (IOCs)
Cybersecurity experts have identified several indicators of compromise (IOCs) involved in this operation. Notably, the domain ashx.lhlsjcb[.]com was observed as a DNS C2 domain during prior activities, while hcgos[.]com serves as the self-reporting notification channel. The discovery of multiple Meterpreter C2 servers on non-standard ports highlights the need for vigilance among organizations employing IIS servers.
Mitigation Strategies
To mitigate the risks posed by OP-512 and similar threats, cybersecurity professionals should consider implementing the following strategies:
- Actively monitor for outbound DNS requests from w3wp.exe that include lengthy, hex-segmented subdomains.
- Set alerts for reflective .NET assembly loading within IIS worker processes, which typically indicates the presence of memory-only privilege escalation tools.
- Track the generation of new DLLs within ASP.NET’s temporary compilation directories outside designated deployment timelines.
- Flag any encrypted or non-standard HTTP responses coming from .ashx endpoints for further investigation.
- Expedite the migration away from outdated .NET versions and disable .aspx/.ashx handler mappings in upload directories to reduce the likelihood of exploitation.
In conclusion, the OP-512 operation demonstrates the sophisticated tactics used by cyber-espionage groups, particularly those linked to state-sponsored efforts. Organizations using IIS servers must remain vigilant and proactively bolster their defenses to counteract these emerging threats.