In-Depth Analysis by Sophos Reveals Three Clusters Behind Operation Crimson Palace

Comprehensive analysis of threat activity associated with three threat clusters aligned with China has been revealed in a report by Sophos researchers Morgan Demboski, Paul Jaramillo, and Mark Parsons. This activity, tracked under an espionage campaign named Operation Crimson Palace, targets a government organization in Southeast Asia. The threat actors were active in the victim's network "from at least March 2023 through December 2023," according to the researchers. The three clusters of threat actors—Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305)—all operate under Chinese state interests. Overlaps were found among the three clusters with known reported groups: Alpha (STAC1248) overlaps with 'BackdoorDiplomacy,' 'REF5961,' 'Worok,' and 'TA428'; Bravo (STAC1870) with 'Unfading Sea Haze'; and Charlie (STAC1305) with 'Earth Longzhi,' a subgroup of APT41. These clusters have exhibited notable overlaps in their operational tactics, including the use of the same servers, targeting identical networks or victims, and operating synchronously within Chinese working hours. The researchers provided an in-depth examination of the tactics, techniques, and procedures (TTPs) used by the three clusters, offering insights into the nature of the intrusions.

Cluster Alpha (STAC1248) showcased their capabilities with activity dated as early as March 6. Their credential access techniques involved dumping the Security Accounts Manager (SAM) registry hive and using RemoteRegistry services to harvest credentials without alerting network defenses. During Cluster Alpha's intrusion, various gaps in operations indicate their patience, with noticeable dwell times. Activity resumed in mid-March through the use of acquired credentials to enumerate the domain. The three clusters mainly utilized native tools such as net.exe, nltest, and whoami for their reconnaissance, but also expanded with the use of PowerShell scripts to query Windows event logs for login events (Event ID 4624). During the lateral movement stage, taking place between March and April, shares were mapped and remote WMIC queries were executed with explicit credentials. Among the tools utilized for lateral movement were rdpclip, Impacket modules atexec and smbexec, along with a renamed PSEXEC which was blocked by the Sophos endpoint agent. Throughout the intrusion, persistence and privilege escalation techniques were demonstrated through registry modifications, creating and modifying Windows services such as IKEEXT, leading to the deployment of various malware payloads like the Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and PowHeartBeat backdoor.

Cluster Bravo (STAC1870) initiated a three-week intrusion focused on reconnaissance, often executing ping commands and ping sweeps, and repeatedly disconnecting all mapped networks with “net use * /del /y.” Sophos researchers observed, "During this internal discovery, the actor was seen verifying connectivity to two related government departments within the same country. One of the departments, in particular, ranks as a high target of interest for the Chinese government, as it aligns with China’s 5-year plan and ambitions to claim natural resources in the South China Sea outside the internationally recognized border." Similar to the Alpha cluster, Bravo employed native Windows commands for network discovery, such as 'whoami', 'ipconfig /all', and 'tasklist /v'. This cluster also demonstrated proficiency in using 'rdrleakdiag.exe' to dump lsass.exe memory, effectively bypassing standard security measures to access sensitive credential data. Regarding lateral movement, the actors used three methods with CCoreDoor: (1) wscript to run a .vbs, (2) wmic process call create to run the .vbs, and (3) creates a service for the .vbs script to run with wscript, creates scheduled tasks, and moves CCoreDoor to ‘C:\Users\Administrator\Appdata\Roaming’ with batch scripts. Persistence techniques were demonstrated through the creation of scheduled tasks. The ntdll.dll was heavily tampered with by the actors; "In March, activity in Cluster Bravo was observed rapidly creating, deleting, and modifying ntdll.dll (renamed ntpsapi.dll) at least 19 times in one minute."

Lastly, Cluster Charlie (STAC1305)'s intrusion was documented to have occurred in June 2023, with Sophos researchers describing, "the actor began to conduct some of their noisiest activity, including mass analysis of event logs for network-wide user and network reconnaissance and ping sweeps of over 1800 machines." The reconnaissance effort included examining Windows logs for login events (Event ID 4624) and also featured a likely typo for a non-existent Windows event - 4628. The aggressive and extensive reconnaissance tactics were crucial for the success of their lateral movement strategies. By leveraging previously acquired valid credentials, the threat actors were able to utilize two administrator accounts. Along with their use of acquired credentials, "they were often observed simultaneously connecting to multiple domain controllers from a C2 implant to infect new victim machines." Scheduled tasks enabled the actors to persist and launch their malware implants. Lateral movement actions were observed to have been conducted in August through the use of SMB shares, remote scheduled tasks, and remote WMIC commands with explicit credentials. The actors were cautious in their intrusion, terminating their processes, deleting files dropped, and disconnecting network shares to cover their tracks.

Across all clusters, the use of DLL sideloading, particularly through the abuse of legitimate system processes and tools, was a common thread that highlighted the actors' advanced capabilities in stealth and evasion. This technique not only allowed them to maintain persistence but also to execute commands and exfiltrate data without significant detection from network defense systems. These actions helped the threat actors achieve their objective to "collect many sensitive military and political documents, as well as the VoIP phone database files of multiple administrators, which can be used to restore messages." The in-depth analysis of Operation Crimson Palace provided by Sophos researchers offers critical insights into the tactics, techniques, and procedures of the involved clusters and the necessity of compensating detections and controls to defend against these threat actors.