A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort.
Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an abbreviation for “security threat activity cluster.”
“The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point,” security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.
A noteworthy aspect of the attacks is that it entails the use of an unnamed organization’s systems as a command-and-control (C2) relay point and a staging ground for tools. A second organization’s compromised Microsoft Exchange Server is said to have been utilized to host malware.
Crimson Palace was first documented by the cybersecurity company in early June 2024, with the attacks taking place between March 2023 and April 2024.
While initial activity associated with Cluster Bravo, which overlaps with a threat group called Unfading Sea Haze, was confined to March 2023, a new attack wave detected between January and June 2024 has been observed targeting 11 other organizations and agencies in the same region.
A set of new attacks orchestrated by Cluster Charlie, a cluster that’s referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of the C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.
“Exfiltration of data of intelligence value was still an objective after the resumption of activity,” the researchers said. “However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked.”
Another significant aspect is Cluster Charlie’s heavy reliance on DLL hijacking to execute malware, an approach previously adopted by threat actors behind Cluster Alpha, indicating a “cross-pollination” of tactics.
Some of the other open-source programs used by the threat actor include RealBlindingEDR and Alcatraz, which allow for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an aim to fly under the radar.
Rounding off the cluster’s malware arsenal is a previously unknown keylogger codenamed TattleTale that was originally identified in August 2023 and is capable of collecting Google Chrome and Microsoft Edge browser data.
“The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user,” the researchers explained.
“TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords.”
In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: infiltrating target environments and conducting reconnaissance (Alpha), burrow deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).
“Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices,” the researchers concluded. “As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.