Sophos Managed Detection and Response (MDR) recently uncovered a highly sophisticated and long-running cyberespionage campaign known as “Crimson Palace,” which has been attributed to Chinese state-sponsored actors. This campaign targeted a significant government organization in Southeast Asia and operated from early 2022 to April 2024.

The investigation into this cyberespionage campaign commenced in May 2023 after the detection of a DLL sideloading technique exploiting VMNat.exe, a component of VMware. Mark Parsons from Sophos MDR led the investigation, which revealed three distinct clusters of intrusion activity known as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305).

Sophos identified several previously unreported malware variants, including CCoreDoor, PocoProxy, and an updated version of EAGERBEE. These variants displayed advanced capabilities such as blackholing communications to anti-virus vendor domains and deploying various command-and-control (C2) communications. Over 15 DLL sideloading scenarios were employed in the campaign, leveraging Windows Services, legitimate Microsoft binaries, and anti-virus software to evade detection and maintain persistent access to the target network.

The threat actors used various evasion techniques, including overwriting DLLs in memory to unhook the Sophos AV agent process from the kernel and testing multiple ways to execute their payloads efficiently.

The investigation unveiled three activity clusters with different focuses and timelines. Cluster Alpha (STAC1248) operated from March to August 2023 and concentrated on deploying malware variants, disabling AV protections, escalating privileges, and surveilling Active Directory infrastructure. Cluster Bravo (STAC1807) was active for three weeks in March 2023 and utilized valid accounts to spread laterally, deploying the CCoreDoor backdoor to establish C2 communications. Cluster Charlie (STAC1305) was operational from March 2023 to April 2024, prioritizing access management and deploying the PocoProxy malware for persistent C2 communications while exfiltrating sensitive information like military and political documents.

Sophos confidently attributes the observed activity clusters to Chinese state-sponsored operations, noting distinct behavior patterns with some overlaps in compromised infrastructure and objectives, hinting at possible coordination. Sophos MDR continues to monitor the targeted environment, sharing intelligence with government and industry partners like Elastic Security and Trend Micro.

The discovery of the “Crimson Palace” campaign underscores the ongoing threat posed by state-sponsored cyberespionage and highlights the necessity of proactive threat hunting and effective intelligence sharing to identify and mitigate such cyber threats. The findings from Sophos contribute to a better understanding of Chinese cyber operations, offering valuable insights for defenders and analysts working to counter similar activities.

The persistence of state-sponsored cyber espionage serves as a stark reminder of the evolving nature of cyber threats in today’s digital landscape. Organizations must remain vigilant and adopt comprehensive cybersecurity strategies to safeguard their networks and data from such sophisticated attacks.

Source link