An unidentified high-level government organization in Southeast Asia has been the target of an extensive and sustained cyber espionage operation undertaken by the Chinese government, dubbed Crimson Palace.
“The primary objective of this operation was to maintain unauthorized access to the targeted network for the purpose of cyber espionage in alignment with Chinese state interests,” researchers from Sophos named Paul Jaramillo, Morgan Demboski, Sean Gallagher, and Mark Parsons explained in a report provided to The Hacker News.
“This involved gaining entry to critical IT systems, collecting information on specific users, acquiring sensitive military and technological data, and deploying various malicious software implants for command and control (C2) communications.”
The exact identity of the government organization was not disclosed, but it was revealed that the country has a history of territorial disputes with China in the South China Sea, indicating that it may be the Philippines, which has previously been targeted by Chinese state-sponsored groups like Mustang Panda.
Crimson Palace is made up of three intrusion clusters, some of which exhibit similar tactics, with signs of older activities dating back to March 2022 –
- Cluster Alpha (March 2023 – August 2023), showing similarities to threat actors identified as BackdoorDiplomacy, REF5961, Worok, and TA428
- Cluster Bravo (March 2023), sharing commonalities with Unfading Sea Haze, and
- Cluster Charlie (March 2023 – April 2024), having similarities with Earth Longzhi, a subgroup within APT41
Sophos researchers concluded that these overlapping clusters of activities were likely part of a coordinated campaign led by a single entity.
The attack stands out for the use of obscure malware like PocoProxy and an updated version of EAGERBEE, alongside other known malware families including NUPAKAGE, PowHeartBeat, RUDEBIRD, DOWNTOWN (PhantomNet), and EtherealGh0st (aka CCoreDoor).
Other characteristics of the campaign include extensive use of DLL side-loading and unconventional tactics to evade detection.
“The threat actors employed various innovative evasion techniques, such as memory overwriting of DLL to detach the Sophos AV agent process from the kernel, misuse of AV software for sideloading, and experimentation with different methods to execute their payloads effectively and surreptitiously,” the researchers stated.
Further examination revealed that Cluster Alpha focused on mapping server subnets, identifying administrator accounts, and conducting reconnaissance on Active Directory infrastructure, while Cluster Bravo prioritized the use of legitimate accounts for lateral movement and deploying EtherealGh0st.
The activities associated with Cluster Charlie, which occurred over an extended period, involved the utilization of PocoProxy to establish persistence on compromised systems and deploying HUI Loader, a custom loader utilized by several China-related actors, to introduce Cobalt Strike.
“These observed clusters are indicative of the operations of two or more distinct actors working in collaboration towards shared goals,” the researchers observed. “The identified clusters reflect the efforts of a single entity with a wide array of tools, diverse infrastructure, and multiple operators.”
This disclosure coincides with cybersecurity firm Yoroi detailing attacks conducted by the APT41 group (also known as Brass Typhoon, HOODOO, and Winnti) targeting entities in Italy with a version of the PlugX malware, identified as KEYPLUG.
“Developed in C++ and operational since at least June 2021, KEYPLUG has iterations for both Windows and Linux platforms,” Yoroi explained. “It supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS, making it a potent tool in APT41’s cyber offensive capabilities.”
Furthermore, it follows a warning from the Canadian Centre for Cyber Security about increasing cyber attacks from Chinese state-sponsored hackers aimed at infiltrating government, critical infrastructure, and research and development sectors.
“Cyber threat activity from the People’s Republic of China surpasses other nation-state cyber threats in terms of volume, sophistication, and the breadth of targets,” the agency stated, highlighting their use of compromised small office and home office (SOHO) routers and living-off-the-land techniques to conduct cyber threat activities and avoid detection.
