Three China-linked threat activity clusters were identified under the codename Crimson PalaceThis indicates that the scope of espionage activities is expanding.
Sophos, a cybersecurity firm that has been monitoring the attacks, said the attack consists of three sets of intrusions that it is tracking as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870) and Cluster Charlie (STAC1305), where STAC stands for “Security Threat Activity Cluster.”
“The attackers continually leveraged the networks of other compromised organizations and public services in the region to distribute malware and tools under the guise of trusted access points,” security researchers Mark Parsons, Morgan Dembosky and Sean Gallagher said in a technical report shared with Hacker News.
What’s notable about this attack is that it used systems at an unnamed organization as a command and control (C2) relay point and a base of operations for the tools, while a compromised Microsoft Exchange Server at a second organization was allegedly used to host the malware.
Crimson Palace was first documented by cybersecurity firms in early June 2024, with the attacks occurring between March 2023 and April 2024.
Initial activity associated with Cluster Bravo overlapped with a threat group called Unfading Sea Haze and was limited to March 2023, but a new wave of attacks detected between January and June 2024 has been identified targeting 11 other organizations and institutions in the same region.
A series of new attacks have also been identified between September 2023 and June 2024, orchestrated by Cluster Charlie, a cluster known as Earth Longzhi. Some of these attacks also include the deployment of various C2 frameworks such as Cobalt Strike, Havoc, and XieBroC2 to facilitate post-exploitation attacks and deliver additional payloads such as SharpHound for Active Directory infrastructure mapping.
“After resuming activity, exfiltration of intelligence-valuable data remained an objective,” the researchers said, “but much of their efforts appeared to be focused on re-establishing and expanding their foothold in target networks by evading EDR software and quickly re-establishing access when their C2 implants were blocked.”
Another important point is that Cluster Charlie relies heavily on DLL hijacking to execute its malware, a technique previously employed by the threat actors behind Cluster Alpha, demonstrating a “cross-pollination” of tactics.
Other open-source programs used by threat actors include RealBlindingEDR and Alcatraz, which can terminate antivirus processes and obfuscate portable executable files (.exe, .dll, .sys, etc.) with the goal of infiltrating unnoticed.
Rounding out the cluster’s malware arsenal is a previously unknown keylogger codenamed TattleTale, which was first identified in August 2023 and is capable of collecting data on Google Chrome and Microsoft Edge browsers.
“The malware is able to survey the compromised system by impersonating the logged-on user, checking for mounted physical and network drives,” the researchers explained.
“TattleTale also collects domain controller names and steals LSA (Local Security Authority) query information policies, which are known to contain sensitive information related to password policies, security settings, and possibly cached passwords.”
Simply put, the three clusters work together and simultaneously focus on specific tasks in the attack chain: penetrating the target environment for reconnaissance (Alpha), penetrating deep into the network using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).
“Throughout the attack, the attackers appear to have continually tested and improved their techniques, tools, and methods,” the researchers concluded. “As we deployed countermeasures to their bespoke malware, they tested various combinations of their custom-developed tools with general-purpose open-source tools commonly used in legitimate penetration tests.”