Chinese state-sponsored cyberespionage Crimson Palace campaign targets Southeast Asia federal agency

Researchers from security firm Sophos detailed Operation Crimson Palace threat clusters of Chinese state-sponsored activity targeting a Southeast Asian government agency for cyberespionage in a campaign that had precursors dating back to early 2022. The clusters were observed using tools and infrastructure that overlap with other researchers’ public reporting on Chinese threat actors BackdoorDiplomacy, REF5961, Worok, TA428, the recently-designated Unfading Sea Haze, and the APT41 subgroup Earth Longzhi. 

“In May 2023, in a threat hunt across Sophos Managed Detection and Response telemetry, Sophos MDR’s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed ‘Crimson Palace’ targeting a high-profile government organization in Southeast Asia,” Paul Jaramillo, Morgan Demboski, and Mark Parsons wrote in a Wednesday blog post. “MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component. In the investigation that followed, we tracked at least three clusters of intrusion activity from March 2023 to December 2023. The hunt also uncovered previously unreported malware associated with the threat clusters, as well as a new, improved variant of the previously-reported EAGERBEE malware.” 

They added that in line with Sophos’ standard internal nomenclature, Sophos tracks these clusters as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305). “While our visibility into the targeted network was limited due to the extent to which Sophos endpoint protection had been deployed within the organization, our investigations also found evidence of related earlier intrusion activity dating back to early 2022. This led us to suspect the threat actors had long-standing access to unmanaged assets within the network.”

The threat hunt that identified the activity clusters covered in this report began in May 2023. During the investigation, Sophos analysts identified several patterns indicating distinct clusters of behavior were operating in the network during the same period. These included authentication data, including source subnet, workstation hostname, and account usage; techniques, including specific commands and options, repeatedly used by the attackers; attacker C2 infrastructure; unique tools and the paths where they were deployed; targeted user accounts and hosts; and timing of the observed activity.

Based on these patterns, the Sophos researchers identified that “we assess with moderate confidence that the espionage campaign consisted of at least three activity clusters with separate sets of infrastructure and TTPs coexisting in the target organization’s network from at least March to September 2023.”

Additionally, based on its investigation, Sophos asserts with high confidence the overall goal behind the Crimson Palace campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests. This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications. 

Additionally, Sophos identified with moderate confidence that these activity clusters were part of a coordinated campaign under the direction of a single organization. Sophos is sharing indicators and context for the Crimson Palace campaign in hopes of contributing to further public research and helping other defenders and analysts disrupt related activity.

Sophos identified the use of previously unreported malware that it called CCoreDoor (concurrently discovered by BitDefender) and PocoProxy, as well as an updated variant of EAGERBEE malware with new capabilities to blackhole communications to anti-virus (AV) vendor domains in the targeted organization’s network. Other observed malware variants include NUPAKAGE, Merlin C2 Agent, Cobalt Strike, PhantomNet backdoor, RUDEBIRD malware, and the PowHeartBeat backdoor.

The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software. Also, the threat actors leveraged many novel evasion techniques, such as overwriting ntdll[dot]dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads.

“While Sophos identified three distinct patterns of behavior, the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and/or coordination between the clusters in the environment,” the researchers revealed.

The researchers noted that while initial access occurred outside Sophos’ visibility into the organization, they observed related activity dating back to early 2022. “That included a March 2022 detection of NUPAKAGE malware (Troj/Steal-BLP), a customized tool used for exfiltration that has been publicly attributed by Trend Micro to the Chinese threat group Earth Preta (aka Mustang Panda).”

The organization later enrolled a subset of its endpoints with Sophos’ MDR service. Detections of suspicious activity prompted the MDR Operations team to investigate the organization’s estate. This included a December 2022 investigation into intrusion activity where DLL-stitching was used to obfuscate and deploy two malicious backdoors on target domain controllers. At that time, the detections Troj/Backdr-NX and ATK/Stowaway-C were deployed across Sophos customers to detect the stitched DLL payloads, and a behavioral detection was created to detect when a service DLL is added to the Windows registry.

The researchers observed Cluster Alpha activity from early March to at least August 2023. That activity included multiple sideloading attempts to deploy various malware and establish persistent C2 channels within client and server subnets. “Throughout this activity, we observed mutations of successful tactics that resulted in the same outcome, indicating the threat actors may have been leveraging the victim network as a playground to test different techniques. In addition to using unique techniques to disable AV protections and escalate privileges, the actor operating in Cluster Alpha prioritized comprehensively mapping server subnets, enumerating administrator accounts, and conducting reconnaissance on Active Directory infrastructure,” they added.

“While the activity in the other two clusters spanned over several months, activity in Cluster Bravo was only observed in the targeted organization’s environment for a three-week span in March 2023 (coinciding with the first session of China’s 14^th National People’s Congress),” the researchers noticed. “Characterized as a mini cluster because of its short duration, Cluster Bravo activity was primarily focused on using valid accounts to spread laterally throughout the network, with the goal of sideloading a novel backdoor to establish C2 communications and maintain persistence on target servers.”

Sophos also observed Cluster Charlie activity in the target network for the longest period, with operations spanning from March to at least April 2024. Appearing to prioritize access management highly, the actor deployed multiple implants of a previously unidentified malware, dubbed PocoProxy, to establish persistence on target systems and rotate to new external C2 infrastructure.

Based on combined aspects of victimology, temporal analysis, infrastructure, tooling, and actions on objectives, Sophos assesses with high confidence the observed activity clusters are associated with Chinese state-sponsored operations.

“In addition to the timing of activity in the clusters aligning with standard Chinese working hours, several observed TTPs overlap with industry reporting on Chinese-nexus actors,” the post said. “Furthermore, the target network is a high-profile government organization in a Southeast Asian country known to have repeated conflict with China over territory in the South China Sea. We assess the goal behind this campaign is long-term espionage, evidenced by the three clusters creating redundant C2 channels across the network to ensure persistent access and collect information related to Chinese state interests.”

In its conclusion, Sophos assesses with moderate confidence that multiple distinct Chinese state-sponsored actors have been active in this high-profile Southeast Asian government organization since at least March 2022. “Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” it added.

“While this report is focused on Crimson Palace activity through August of 2023, we continue to observe related intrusion activity targeting this organization,” according to the post. “Following our actions to block the actors’ C2 implants in August, the threat actors went quiet for a several-week period. Cluster Alpha’s last active known implant ceased C2 communications in August 2023, and we have not seen the cluster of activity re-emerge in the victim network. However, the same cannot be said for Cluster Charlie.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.