Sophos X-OpsSophos continues to observe Chinese state-sponsored espionage targeting a wide range of organizations in Southeast Asia tied to the activity we recently covered in our Operation Crimson Palace report in recent incidents handled by Sophos MDR.
We covered three security threat activity clusters in our report. One of those, STAC1807(Cluster Bravo)—the least active during our observation of activities during the reported intrusion—has been observed in operation elsewhere.
An investigation into incidents at two organizations in Southeast Asia, which were resolved by MDR, uncovered malware being deployed by way of a script downloaded from an unrelated healthcare organization’s Exchange web email server, retrieved with a curl command. /2
The source of the command was an updated version of the CCoreDoor (aka EtherealGh0st) malware via DLL sideloading through mscorsvw.exe (part of the .NET framework). /3
These backdoors provide persistence, command and control, and keylogging. Below, disassembly of the keyboard logging through the sideloaded user32.dll /4
We also found additional command and control activity executed through sideloading of Trend Micro’s ASDTool.exe, which leveraged a shellcode loader in the form of msi.dll to chain their C2 payload, msiconf.dll. This same shellcode loader was identified as being sideloaded by an additional Trend Micro tool, DVASS.exe, renamed as WUDFUsbccidDriver.exe. /5
Sophos detects this activity as Troj/Agent-BKNP, Troj/Gapz-E, Troj/Loader-CR & Troj/Steal-DXW. We will continue to post updates on these activity clusters’ activity here and on the Sophos research blog. IOCs for these attacks can be found on Sophos X-Ops’ GitHub here:https://github.com/sophoslabs/IoCs/blob/master/STAC1807_June_update.csv.
/end
/end
