Cyber security news for all

More

    Experts Uncover 3 Chinese-Associated Clusters Behind Cyberattacks in Southeast Asia

    A trio of threat activity clusters linked to China has been detected infiltrating additional government organizations in Southeast Asia, marking an escalation in a state-sponsored operation known as Crimson Palace. This indicates a broadening of the espionage effort.

    Cybersecurity firm Sophos, which has been tracking the cyber offensive, reported that it consists of three distinct intrusion sets: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). The abbreviation STAC stands for “security threat activity cluster.”

    “The attackers have consistently leveraged compromised organizational and public service networks in the region to deliver malware and tools disguised as trusted access points,” said security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher in a technical report shared with The Hacker News.

    A notable feature of these attacks is the use of an unnamed organization’s systems as a command-and-control (C2) relay point and a staging area for tools. Additionally, a compromised Microsoft Exchange Server from another organization has been used to host malware.

    Crimson Palace was initially documented by Sophos in early June 2024, with the attacks occurring between March 2023 and April 2024.

    While the initial activity linked to Cluster Bravo, which overlaps with a threat group known as Unfading Sea Haze, was confined to March 2023, a new wave of attacks detected between January and June 2024 has targeted 11 other organizations and agencies in the same region.

    New attacks orchestrated by Cluster Charlie, also referred to as Earth Longzhi, have been identified between September 2023 and June 2024. Some of these attacks involved deploying C2 frameworks such as Cobalt Strike, Havoc, and XieBroC2 to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.

    “Exfiltrating intelligence data remained a key objective after the resumption of activity,” the researchers noted. “However, much of their focus appeared to be on re-establishing and expanding their foothold on the target network by bypassing EDR software and quickly regaining access when their C2 implants were blocked.”

    Another significant point is Cluster Charlie’s extensive use of DLL hijacking for executing malware, a tactic also used by Cluster Alpha, suggesting a “cross-pollination” of techniques.

    Other open-source tools employed by the threat actors include RealBlindingEDR and Alcatraz, which are used to terminate antivirus processes and obfuscate portable executable files (e.g., .exe, .dll, and .sys) to evade detection.

    Completing the cluster’s malware arsenal is a previously unknown keylogger named TattleTale, identified in August 2023, which can gather data from Google Chrome and Microsoft Edge browsers.

    “The malware can fingerprint the compromised system and check for mounted physical and network drives by mimicking a logged-on user,” the researchers explained.

    “TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which contains sensitive information related to password policies, security settings, and occasionally cached passwords.”

    In summary, the three clusters operate in tandem while focusing on distinct aspects of the attack chain: infiltrating target environments and conducting reconnaissance (Alpha), penetrating networks using various C2 mechanisms (Bravo), and extracting valuable data (Charlie).

    “Throughout the engagement, the adversary seemed to continuously test and refine their techniques, tools, and methods,” the researchers concluded. “As we implemented countermeasures against their custom malware, they combined their bespoke tools with generic, open-source tools frequently used by legitimate penetration testers, experimenting with different combinations.”

    Recent Articles

    Related Stories