Four-Month Espionage Campaign Hits U.S. Organization, Compromising Five Workstations

A large U.S. organization experienced a prolonged intrusion attributed to Chinese-based threat actors between April 2024 and August 2024, Symantec reports. The attackers achieved persistent access, leveraging lateral movement across the network and targeting Exchange Servers to steal emails. Symantec linked the intrusion to China-based actors based on using familiar tactics like DLL sideloading and the deployment of tools previously associated with other Chinese espionage campaigns. In particular, the attackers employed “textinputhost.dat”, a file linked to the Chinese espionage group Crimson Palace, according to reporting by Sophos, further reinforcing this attribution. Evidence suggests that the initial network compromise may have occurred prior to April 11, 2024, though this date marks the first recorded activity. A detailed examination of the attack lifecycle reveals malicious activity spanned five workstations from April 11 to June 27, 2024.

The earliest identified activity occurred on April 11, 2024, on Machine 1. Symantec notes, however, that the intrusion likely began earlier, as the command execution "originated from another machine on the network," indicating that at least one other system had already been compromised. The initial activity involved using Windows Management Instrumentation (WMI) and Impacket to execute commands remotely. The attackers dumped credentials using "reg.exe" to save SYSTEM and SAM registry hives and employed the "net use" command to map shares to a network-attached storage (NAS) device. PowerShell scripts were used to query active TCP network connections, followed by reconnaissance of Active Directory (AD) for service principal names (SPNs) to facilitate Kerberoasting. On April 16, additional WMI command executions were observed, and on April 17, the attackers sideloaded a malicious DLL payload using a renamed version of GoogleToolbarNotifier.exe (rc.exe), further entrenching their access.

On June 2, 2024, malicious activity extended to Machine 2. Attackers repeated patterns observed on Machine 1, using WMI and Impacket to launch commands and employing renamed tools such as FileZilla's SFTP client (putty.exe) for data exfiltration. This activity occurred rapidly, with minimal delay between command execution and the deployment of renamed executable files. On June 13, WMI facilitated multiple command executions, followed by PowerShell scripts on June 14 that used the System.Net.WebClient DownloadFile cradle to download and execute remote files. These files, saved in the "perflogs" directory, likely included WinRAR and a renamed version of PSCP (PuTTY's SCP client). Activity on this machine continued until June 27, when PsExec was used for further lateral movement, and potentially malicious files such as “textinputhost.dat,” and “ibnettle-6.dll” were introduced. The former file is significant due to its ties to other Chinese-linked campaigns.

Activity on Machine 3 also began on June 2, 2024, where attackers leveraged WMI to query Windows Security event logs for authentication and privileged access events, including login (4624), privileged login (4672), logoff (4634), privileged service invocation (4673), and account lockout (4740). After querying security logs, PowerShell scripts were launched to verify connectivity. On June 20, PsExec was used to target AD and Exchange Server groups to gather account information, including executing the "Get-ADComputer" cmdlet. Machine 4 recorded a brief activity on June 5, when WMI executed “reg.exe” to export registry keys from "Control\Session Manager\KnownDLLs." Symantec explained that these keys could help attackers identify trusted DLLs for potential hijacking or evasion efforts. On June 13, Machine 5 exhibited brief activity involving WMI executing “iTunesHelper.exe” from the PerfLogs directory, likely to sideload a malicious DLL (CoreFoundation.dll).

While the identity of the threat actor in this incident remains unspecified, Symantec disclosed that the targeted U.S. organization had previously been attacked in 2023 by the China-linked APT entity ‘Daggerfly.’ The attackers’ extensive use of living-off-the-land tools, particularly WMI, along with techniques designed to remain concealed throughout the multi-month intrusion, underscores the advanced nature of this threat.