SentinelLabs and QGroup describe attacks in Q1 2023 against Middle East telecoms, linked to the Operation Soft Cell activity and likely conducted by a Chinese cyberespionage group in the Gallium/APT41 nexus. The operation centers on mim221, a maintained credential-theft toolkit with anti-detection features, deployed after Exchange server webshells to enable reconnaissance, credential theft, and lateral movement. #OperationSoftCell #Gallium #APT41 #mim221 #Exchange #Telecom
Keypoints
- Initial threat activity targeted telecommunication providers in the Middle East in early 2023, representing an evolution of Operation Soft Cell tooling.
- Attribution points to a Chinese cyberespionage actor in the Gallium/APT41 space, though exact grouping remains unclear.
- New dropper/credential-theft capability mim221 includes multi-component architecture (pc.exe, AddSecurityPackage64.dll, pc.dll, getHashFlsa64.dll) with anti-detection features.
- Attack chain begins with webshells on Internet-facing Exchange servers, followed by reconnaissance, credential theft, lateral movement, and exfiltration.
- Credential theft relies on modified Mimikatz variants, staging in LSASS via Security Package injection, and in-memory/detection-evading techniques.
- Attribution shows similarities with Soft Cell tooling and potential overlap with APT41, including code-signing certificates and shared code fragments.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The initial intrusion targeted Internet-facing Microsoft Exchange servers to deploy webshells for command execution. Quote: “The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution.”
- [T1059] Command-Line Interface – Use of cmd.exe commands to run discovery and collection utilities. Quote: “cmd” /c cd /d C:MS_DATA&dsquery * -limit 0 -filter …
- [T1033] Account Discovery – Discovery of user accounts and AD objects. Quote: dsquery * -limit 0 -filter “(&(objectClass=User)(objectCategory=Person))” -attr objectSID sAMAccountName displayName mail memberOf
- [T1021] Remote Services – Lateral movement using PsExec and net use to access remote resources. Quote: “net use [IP ADDRESS] [PASSWORD] /u:[DOMAIN][USERNAME]”
- [T1003] Credential Dumping – Custom modified Mimikatz components used to steal LSASS credentials. Quote: “The attackers employ custom modified versions of Mimikatz… to steal credentials from the Local Security Authority Subsystem Service (LSASS).”
- [T1620] Reflective Code Loading – Reflective in-memory loading of DLLs to evade disk-based detection. Quote: “reflectively loads and executes the code credential theft component” and “Reflective image loading.”
- [T1562] Impair Defenses – Disabling Windows event logging by terminating Event Log service threads. Quote: “Disabling Windows event logging by killing threads of the Windows Event Log service without stopping the service itself.”
- [T1134] Access Token Manipulation – Obtaining SeDebugPrivilege/SYSTEM by access token impersonation. Quote: “Obtaining the SeDebugPrivilege and SYSTEM privilege by access token impersonation.”
Indicators of Compromise
- [SHA-1] context – pc.exe – f54a41145b732d47d4a2b0a1c6e811ddcba48558, AddSecurityPackage64.dll (unpatched) – 1c405ba0dd99d9333173a8b44a98c6d029db8178, and 4 more hashes
- [SHA-1] context – pc.dll – 814f980877649bc67107d9e27e36fba677cad4e3
- [SHA-1] context – getHashFlsa64.dll (unpatched) – 508408edda49359247edc7008762079c5ba725d9, and 1 more hash
- [File Name] filenames – pc.exe, AddSecurityPackage64.dll, pc.dll, getHashFlsa64.dll, and 2 more filenames
- [Directory] working directories – C:MS_DATA, c:windowssystem32inetsrv, and 1 more directory
- [Certificate] certificate used by Soft Cell binaries – Whizzimo, LLC certificate
- [IP Address] connectivity checks – 8.8.8.8
Read more: https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/