Chinese Cyber Espionage Targets Asian Critical Infrastructure Using Web Server Exploits and Mimikatz
A sophisticated cyber espionage campaign has been identified, targeting high-value organizations across South, Southeast, and East Asia. The campaign, attributed to a Chinese threat actor designated as CL-UNK-1068, has been active for several years, focusing on sectors such as aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications.
Identification of CL-UNK-1068
Palo Alto Networks’ Unit 42 has uncovered this previously undocumented group, assessing with moderate-to-high confidence that its primary objective is cyber espionage. The group’s toolkit is multifaceted, comprising custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs). These tools enable the attackers to maintain a persistent presence within targeted environments effectively.
Technical Arsenal and Methodologies
CL-UNK-1068’s arsenal is designed to infiltrate both Windows and Linux systems. The group employs a combination of open-source utilities and malware families, including Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP). Notably, Godzilla and ANTSWORD function as web shells, while Xnote is a Linux backdoor active since 2015, previously used by Earth Berberoka (aka GamblingPuppet) in attacks on online gambling sites.
Attack Chain and Lateral Movement
The typical attack sequence involves exploiting web servers to deploy web shells, facilitating lateral movement to other hosts. The attackers then attempt to exfiltrate files with specific extensions—such as web.config, .aspx, .asmx, .asax, and .dll—from the c:\inetpub\wwwroot directory of Windows web servers. This strategy likely aims to steal credentials or identify vulnerabilities.
Additionally, CL-UNK-1068 harvests web browser history, bookmarks, XLSX and CSV files from desktops and user directories, and database backup (.bak) files from MS-SQL servers. To exfiltrate data stealthily, the group uses WinRAR to archive relevant files, encodes the archives in Base64 using the certutil -encode command, and prints the Base64 content to their screen via the web shell. This method allows data exfiltration without uploading files directly.
Advanced Techniques and Tools
The attackers employ legitimate Python executables (python.exe and pythonw.exe) to launch DLL side-loading attacks, executing malicious DLLs such as FRP for persistent access, PrintSpoofer, and a custom Go-based scanner named ScanPortPlus. Reconnaissance efforts have evolved from using a custom .NET tool named SuperDump since 2020 to utilizing batch scripts for collecting host information and mapping local environments.
Credential Theft Mechanisms
CL-UNK-1068 utilizes various tools for credential theft, including:
– Mimikatz: Dumps passwords from memory.
– LsaRecorder: Hooks LsaApLogonUserEx2 to record WinLogon passwords.
– DumpItForLinux and Volatility Framework: Extract password hashes from memory.
– SQL Server Management Studio Password Export Tool: Extracts contents of sqlstudio.bin, storing connection information for Microsoft SQL Server Management Studio (SSMS).
Implications and Conclusions
By leveraging primarily open-source tools, community-shared malware, and batch scripts, CL-UNK-1068 has successfully conducted stealthy operations, infiltrating critical organizations. The group’s versatility is evident in its ability to operate across both Windows and Linux environments, adapting its toolset accordingly. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, the possibility of cybercriminal intentions cannot be entirely dismissed.
