Sygnia’s in-depth analysis uncovers Velvet Ant, a China-nexus state-sponsored threat actor, persisting in a large organization for about three years to enable espionage. The operation leveraged legacy devices (notably F5 BIG-IP) and PlugX with internal and external C2s, illustrating sophisticated persistence, agile pivoting, and extensive network understanding. Hashtags: #VelvetAnt #PlugX #ShadowPad #F5BIG-IP #ChinaNexus
Keypoints
- Velvet Ant infiltrated a large organization in late 2023 and maintained a multi-year foothold for espionage purposes.
- Persistence was achieved via multiple footholds, including internet-facing legacy devices such as F5 BIG-IP appliances used as internal C2/C&C.
- PlugX was the core toolchain, with a three-file execution chain (iviewers.exe, iviewers.dll, iviewers.dll.ui) enabling remote access and module loading.
- The attackers demonstrated agility by shifting to new footholds after remediation and by exploiting unpatched legacy servers (e.g., Windows Server 2003).
- Lateral movement relied on Impacket’s WMI-based tools (wmiexec.py) and targeted command execution to deploy additional PlugX instances.
- A dual C2 model emerged: an external C2 for endpoints with internet access and an internal C&C via a file server to blend with normal traffic.
- Remediation was extensive (re-imaging hosts, decommissioning legacy servers, blocking IOCs) and improved visibility, though the adversary demonstrated continued resilience.
MITRE Techniques
- [T1133] External Remote Services – Initial access via internet-facing F5 BIG-IP appliances. “These appliances were directly exposed to the internet.”
- [T1047] Windows Management Instrumentation – Lateral movement/execution using WMI via Impacket’s wmiexec.py. “Impacket’s wmiexec.py … utilizes the native Windows Management Instrumentation (WMI) to execute remote commands.”
- [T1569.002] System Services: Service Execution – PlugX is installed as a Windows service on infected hosts. “iviewers.exe is installed as a Windows service.”
- [T1037.004] Boot or Logon Initialization Scripts: RC Scripts – Persistence via legacy startup script mechanisms. “rc.local” entries were used for persistence.
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – DLL side loading and related DLL-loading techniques used to hijack execution. “DLL search order hijacking”
- [T1055] Process Injection – Infected Svchost processes receive injected payloads. “code is injected into them.”
- [T1016] System Network Configuration Discovery – Discovery of network connections and topology to plan expansions. “enumerated the active network connections on the targeted server.”
Indicators of Compromise
- [File Name] iviewers.exe, iviewers.dll, iviewers.dll.ui – used in PlugX loading chain within infected systems
- [MD5] d1e6767900c85535f300e08d76aac9ab, 0d5abbe83e5eeb2cb79630caba3a33c7 – iviewers.exe entries
- [SHA1] 4a0f328e7672ee7ba83f265d48a6077a0c9068d4, d80427c922db5fcd8cf490a028915485ff833666 – iviewers.exe
- [SHA256] 91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520, d663b323d132a3c811bb53a48a686ea85c6bf8faeef3b48dfa93528be8f4133b – iviewers.exe
- [IP Address] 202.61.136.158, 103.138.13.31 – C2/C&C servers associated with PlugX Velvet Ant activity
- [File Name] iviewers.dll, iviewers.exe.ui – additional components of the PlugX loader
Read more: https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/