Crimson Palace Resurfaces: Chinese Cyberespionage Campaign Expands in Southeast Asia
Sophos X-Ops released a report detailing renewed cyberespionage efforts by what they assess with high confidence as a Chinese state-directed cyber operation.
Introduction
On September 10, 2024, Sophos X-Ops released a report detailing renewed cyberespionage efforts by what they assess with high confidence as a Chinese state-directed cyber operation. The campaign, codenamed Operation Crimson Palace, has re-emerged, targeting multiple government and public service organizations across Southeast Asia.
Sophos X-Ops previously tracked three distinct security threat activity clusters (STACs) involved in this campaign—Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305)—from March to August 2023. All activity went dormant in late 2023, but recent telemetry shows a resumption of Cluster Charlie operations, now expanded across multiple sectors.
Sophos Managed Detection and Response (MDR) first observed suspicious activity in a prominent Southeast Asian government agency in early 2023, which led to the identification of three security clusters involved in the espionage campaign. Each cluster exhibited distinct tactics, tools, and procedures (TTPs), allowing Sophos to track their activities closely. After dormancy, Sophos observed Cluster Charlie's resurgence in late 2023, leveraging new tools and techniques, including a custom keylogger named TattleTale.
Report Overview
In the second phase of Crimson Palace, threat actors associated with Cluster Charlie employed several off-the-shelf tools and advanced malware to evade detection. To maintain persistence, the attackers adapted their tactics by using previously stolen credentials and deploying web shells on compromised Microsoft Exchange servers.
In late 2023, Sophos blocked Cluster Charlie's custom implants, which forced the group to pivot to new techniques:
- Havoc C2 Framework: Used to support surveillance and control operations.
- Cobalt Strike: Leveraged as part of their command and control (C2) infrastructure.
- SharpHound: Deployed for Active Directory mapping, providing detailed insights into the target's infrastructure.
Attackers also sideloaded malicious DLLs via legitimate processes, a tactic that allowed them to remain undetected by endpoint protection solutions. They executed remote tasks to move laterally across networks and employed tactics such as scheduled tasks to maintain their foothold.
The renewed activity primarily impacted Southeast Asian government agencies and public service organizations. Sophos identified at least 11 new entities compromised during this phase, indicating the attackers' growing reach. Organizations with critical government functions were particularly targeted, raising concerns about the theft of sensitive data, including intelligence and login credentials.
Insights and Analysis
According to Sophos X-Ops, the main objective of these renewed attacks was to exfiltrate valuable intelligence. Cluster Charlie specifically focused on mapping the network environment and capturing login credentials. Their techniques suggest a systematic approach to establishing a long-term presence in the target networks.
Sophos advises organizations, especially those in government and critical sectors, to implement the following measures to protect against Crimson Palace and similar espionage campaigns:
- Multi-factor Authentication (MFA): Reducing reliance on passwords, especially for sensitive systems.
- Endpoint Detection and Response (EDR): Deploying advanced EDR solutions to detect unusual activities like sideloading or C2 communication.
- Regular Network Audits: Conduct frequent internal audits to detect anomalies in network traffic or login patterns.
- Patch Management: Ensuring all critical systems are updated regularly to prevent exploitation of known vulnerabilities.
The resurgence of Operation Crimson Palace demonstrates the evolving nature of state-sponsored espionage campaigns. Organizations in Southeast Asia and beyond must remain vigilant as attackers continue refining their tactics to evade detection and achieve their objectives.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| 58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d | sha256 | Malicious File used in conjunction with cmdline containing '172.19.120[.]60 65211' and '178.128.221[.]202 443' |
| 776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f | sha256 | Malicious DLL |
| 430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b | sha256 | Malicious DLL |
| a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477 | sha256 | EDR unhooking, benign version of ntdll.dll |
| cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272 | sha256 | SharpHound/BloodHound |
| e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee | sha256 | DonutLoader |
| fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395 | sha256 | Havoc |
| e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7 | sha256 | Malicious DLL sideloaded by swprv service |
| e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7 | sha256 | MSiSCSI payload |
| 6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b | sha256 | Malicious DLL sideloaded by swi_update.exe |
| 3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53 | sha256 | Malicious File, no execution data |
| da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da | sha256 | Havoc |
| 8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7 | sha256 | Havoc |
| 75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50 | sha256 | Havoc / Xiebro? |
| 609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9 | sha256 | Web shell |
| e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7 | sha256 | Havoc ? |
| 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 | sha256 | Web shell |
| bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d | sha256 | Shellcode loader |
| 4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0 | sha256 | Shellcode Loader for Havoc |
| 4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae | sha256 | Shellcode Loader for Havoc |
| 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86 | sha256 | Web shell |
| 9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88 | sha256 | Web shell |
| 1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9 | sha256 | Havoc |
| 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 | sha256 | Web shell |
| 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86 | sha256 | Web shell |
| 5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b | sha256 | Invoke WMI |
| 299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f | sha256 | Shellcode Loader for Havoc / DonutLoader? |
| c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704 | sha256 | Shellcode Loader for Havoc |
| 8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff | sha256 | Shellcode Loader for Havoc |
| 71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81 | sha256 | Alcatraz Git Project EDR Evasion |
| d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38 | sha256 | Shellcode loader |
| 2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504 | sha256 | DonutLoader |
| b67d50652be6be9997b4b0fe386964a89ed7df078577929aff0910f774b03996 | sha256 | Havoc (Shellcode loader?) |
| c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce | sha256 | Shellcode loader |
| f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957 | sha256 | Tattletale malware ? |
| 4600ddd81ccc18eca2b1bc272250b14217d866dee2a11e168b6122c1adb1ea64 | sha256 | Keylogger which saves the logged key to file C:\Users\public\log.dat |
| fb2e5baba8c69ddac2abc8b6881aaebd0578ac121363f0c3505294ed8c86f861 | sha256 | Shellcode loader (injects Cobalt Strike Reflective Loader into svchost.exe) |
| ff71eef0f1d7b26e1946cb700e9f41ccb920a5ace45c56ee9f80a9537070f120 | sha256 | Cobalt Strike payload |
| 3414b510afa61ad74f4ec44b3838fa0fbb860b29b5b7173c8043656b49fbe14e | sha256 | C2 Implant |
| 141.136.44.219 | ip | Havoc C2 |
| gsenergyspeedtest.com | domain | Cobalt Strike C2 |
| 45.77.46.245:443 | ip_port | Havoc C2 |
| 191.96.53.132 | ip | XiebroC2 |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Command and Control | Web Shell | T1505.003 | Deployment of web shells to maintain access to compromised web servers. |
| Execution | Scheduled Task/Job | T1053 | Use of scheduled tasks to execute malicious DLLs and maintain persistence. |
| Discovery | System Network Configuration Discovery | T1016 | Reconnaissance of network infrastructure, including Active Directory mapping with SharpHound. |
| Defense Evasion | DLL Side-Loading | T1073 | Use of DLL side-loading to evade detection by running malicious code via legitimate processes. |
| Persistence | Valid Accounts | T1078 | Leveraging stolen credentials to maintain access to compromised systems. |
| Lateral Movement | Remote Services (RDP) | T1021.001 | Use of Remote Desktop Protocol (RDP) for lateral movement between systems. |
| Collection | Input Capture | T1056 | Keylogger "TattleTale" used for capturing login credentials and system data. |
References
Mark Parsons
sophoslabs
Comments ()