Intelligence Update to the Continuation of Operation Crimson Palace with New TTPs in Targeted Intrusions

An update to the intelligence tracking the Crimson Palace cyberespionage operation by Sophos researchers offers new details about developments involving three distinct threat clusters: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). Sophos observed activity across these clusters within a compromised government agency in Southeast Asia from August 2023 to January 2024. Although activity within the compromised agency ceased in August 2023, as noted in the initial report, this update reveals that Cluster Charlie resumed operations in late September 2023, introducing new techniques that demonstrate their technical acumen. Meanwhile, Cluster Bravo expanded its operations across the region, targeting government agencies, organizations related to the government, and public service organizations, with a focus on intelligence collection.

A brief update on Cluster Bravo's activities shows the cluster's expansive reach. From January to June 2024, the threat actor was present "on the networks of at least 11 other organizations and agencies in the same region," according to researchers. These activities focused on Southeast Asia, particularly targeting government and government-related agencies. It is noted that the compromised entities of Cluster Bravo included "two non-governmental public services." The threat actors were methodical in their approach; their malware infrastructure communicated with compromised networks of organizations within the same business vertical.

Among the threat techniques shared, DLL sideloading is the most prominent in this updated report. "As with our previous observations, the actors behind the new wave of activity relied heavily on DLL sideloading, using a malicious dynamic link library with function names matching those used by legitimate, signed executables and placing them in a directory where they would be found and loaded by those executables," Sophos researchers report. They also noted the link of activity in their threat assessment: "We also saw the actors use tactics we had previously observed as part of other threat activity clusters, reinforcing our assessment that all the previous activity was orchestrated by the same overarching organization," Sophos researchers report.

Cluster Charlie's operations, which resumed in September 2023, focused on maintaining their C2 channels by switching to different methods of deployment. This revamping of its C2 infrastructure complicates network traffic analysis and utilized legitimate infrastructure within compromised networks, leveraging trusted access points to deploy malware, thereby blending malicious activities with normal network operations. Tools used for their C2 include Havoc C2 and Cobalt Strike. Access to a web application was enabled through compromised credentials, leading to the deployment of a web shell. Researchers note that within a 45-minute timespan, the threat actors had conducted internal reconnaissance and gathered data. Although telemetry data was limited for the host, there was consistency in activity as web shell deployment had preceded downloads of Havoc payloads which facilitated process injection, another technique used prominently in their intrusions. Cluster Charlie is identified to have conducted thorough reconnaissance with tools like SharpHound to gain accurate information on the organization's users, Active Directory infrastructure, network topology, and resources. For example, Cluster Charlie queried Windows event logs to identify successful login events as well as login events to remote workstations, querying for event code 1149 and saving the output to a text file.

"From November 2023 to at least May 2024, the actors in Cluster Charlie deployed C2 implants using 28 unique combinations of sideloading chains, execution methods, and shellcode loaders," researchers assess. The method behind the threat actors' activity was not only to shift their infrastructure to avoid detection but also to test detection capabilities with the security monitoring solution. "There is evidence the actors were testing to see if different files and deployment methods would be detected by Sophos." Further evidence of such behaviors was found with queries to Windows Defender executions and Sophos configurations in the Windows registry. By November 2023, Cluster Charlie had successfully deployed multiple sideloading combinations, illustrating their ability to rapidly adapt when blocked by Sophos' detection mechanisms. During this timeframe, credential access was achieved with a dump of LSASS.

The proficiency demonstrated by the threat actors extended their use of living-off-the-land binaries (LOLBins) such as service control (sc.exe) to query for installed services to abuse, executing Havoc DLLs with PDF file extensions using rundll32, cmd to copy files, and using wmic to move laterally with the remote query containing credentials. In order to create persistence and scheduled tasks, both schtasks.exe and Impacket atexec.py were utilized. The threat actors, having gained administrative privileges, were able to replace the legitimate system "Volume Shadow Copy Service DLL" in the System32 directory with their malicious DLL. Another masquerading technique sparingly used was to mask their executables as conhost.exe running in the directory "C:\PerfLogs". A keylogger Sophos tracks as “TattleTale,” signified the shift to the "second phase" of the intrusion, having been deployed in April 2024. Although the malware may have been previously used in August 2023, a sample of the malware couldn't be obtained. This executable file identified with the name "r2.exe" was written on disk and dropped from a sideloaded executable—identity_helper.exe that is related to the Microsoft Edge browser. The capabilities of the keylogger were found to gather administrative accounts, domain controllers, and capture the LSA (Local Security Authority) as it contains security policy information.

The intelligence provided by Sophos offers great insights into Operation Crimson Palace. This second installment shares valuable indicators and behaviors utilized by the threat actors in their ongoing campaign. The researchers warn more updates will come given the ongoing nature of this intrusion. As these reports release, it's essential defenders implement detection strategies based on the intelligence provided to ensure their defenses are capable of monitoring the activities reported.