Chinese hacking groups are collaborating in a cyber espionage campaign

Chinese state-sponsored actors have been targeting a government agency since March 2023 in a cyber espionage campaign that researchers are tracking as Crimson Palace.

According to a report from cybersecurity firm Sophos, the campaign was based on new malware variants and three distinct clusters of activity that indicate a coordinated attack.

While the initial access could not be determined, researchers observed related activity dating back to early 2022 using the modified Nupakage malware previously associated with the Chinese threat group Mustang Panda.

Three activity clusters

Sophos identified three activity clusters linked to known Chinese threat groups such as ‘BackdoorDiplomacy’, ‘REF5961’, ‘Worok’, ‘TA428’ and the APT41 subgroup Earth Longzhi.

The analysts noted with great confidence that the operation of these clusters is centrally coordinated under one organization.

Overlaps with known threat actors
Source: Sophos

Cluster Alpha (STAC1248): It was active from early March to August 2023 and focused on deploying updated ‘EAGERBEE’ malware variants that can disrupt security agencies’ network communications.

The main goal was to map server subnets and enumerate administrator accounts by performing reconnaissance on the Active Directory infrastructure.

The activity relied on multiple persistent command and control (C2) channels, including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, and PowHeartBeat backdoor.

To evade detection, the threat actor used living-off-the-land binaries (LOLBins) for service persistence with elevated SYSTEM privileges, and performed DLL side-loading with eight unique DLLs, using Windows Services and legitimate binaries from Microsoft.

Cluster Alpha activity phases
Source: Sophos

Cluster Bravo (STAC1807): It was active for only three weeks in March 2023 and focused on lateral movement and persistence, placing a previously unknown backdoor called ‘CCoreDoor’ on the target systems. The backdoor established remote C2 communications, performed discovery, and dumped credentials.

The actor used renamed versions of signed side-loadable binaries to obfuscate the backdoor implementation and facilitate lateral movement, while also overwriting ntdll.dll in memory to disconnect the Sophos endpoint protection agent process from the kernel.

Cluster Bravo activity
​​​​​Source: Sophos

Cluster Charlie (SCAT1305): It was active from March 2023 to at least April 2024 and engaged in sustained access control and extensive reconnaissance for an extended period.

The actor deployed multiple samples of a previously unidentified malware called ‘PocoProxy’, which is used for persistent C2 communications. They also used the HUI loader to inject a Cobalt Strike Beacon into mstsc.exe, although these attempts were blocked.

In addition, the threat actor injected an LSASS credential interceptor to capture credentials on domain controllers and performed massive event log analysis and automated ping sweeps to map users and endpoints across the network.

Cluster Charlie activity overview
Source: Sophos

The Crimson Palace campaign targeted an agency of a Southeast Asian government for cyberespionage purposes.

“We note with moderate confidence that multiple separate Chinese state-sponsored actors have been active in this high-profile Southeast Asian government organization since at least March 2022,” Sophos explains.

“While we are currently unable to make a high-confidence attribution or confirm the nature of the relationship between these clusters, our current research suggests that the clusters reflect the work of individual actors charged with a central authority with parallel objectives in pursuing Chinese state interests. ” -Sophos

Overall, the three clusters operated during standard Chinese working hours (8:00 AM to 5:00 PM CST), dividing the period into three parts that did not overlap, indicating a high level of coordination.

Combined activity (top) and cluster isolation (bottom)
Source: Sophos

Sophos found that malicious activity peaked in some cases, for example on June 12, 2023, a public holiday in the target country. This would likely result in defenders becoming undermanned and operating at a time when systems were not as closely monitored.

Due to a lack of visibility, Sophos was unable to determine the initial access, but estimates that the threat actor had been accessing the network since at least March 2022, based on a detection of the Nupakage malware typically used to exfiltrate data.

It is difficult to attribute or confirm with much confidence the relationship between the three clusters. Sophos researchers believe that the detected activity “represents the work of separate actors tasked by a central authority with parallel objectives in pursuing Chinese state interests.”

Although Sophos blocked the threat actor’s C2 implants in August 2023 and no Cluster Alpha activity has been observed since, the researchers say that Cluster Charlie activity was observed after a few weeks of silence and that the adversary was attempting to breach the network and to resume activities “at a faster pace and in a more evasive manner.”

Sophos continues to monitor intrusion activity on the target network.