Threat Research

NAO Security Organization

Securonix

This article introduces IcePeony, a newly identified China-nexus APT group active since at least 2023 that targets government agencies, academic institutions, and political organizations in Asia using SQL Injection and a custom IIS malware named IceCache. It highlights operational security lapses, a harsh 996-like work culture, and potential expansion of targets. #IcePeony #IceCache #IceEvent #StaX #Diamorphine #India #Mauritius #Vietnam

Keypoints

  • Group Identification: IcePeony is a newly identified China-nexus APT group.
  • Operational History: Active since at least 2023, targeting India, Mauritius, and Vietnam.
  • Attack Techniques: Primarily uses SQL Injection to compromise public web servers, followed by the installation of web shells and malware.
  • Custom Malware: Utilizes a unique malware called “IceCache” for their operations.
  • OPSEC Fail: Exposed attack tools and command history through operational mistakes, including a zsh_history file.
  • Work Culture: Suspected to operate under the “996” work culture, indicative of long working hours.
  • Future Threats: Likely to expand their target list beyond current operations.

MITRE Techniques

  • [T1190] SQL Injection – Exploiting vulnerabilities in web applications to execute arbitrary SQL code. “Exploiting vulnerabilities in web applications to execute arbitrary SQL code.”
  • [T1100] Web Shell – Installing web shells on compromised servers to maintain access. “Installing web shells on compromised servers to maintain access.”
  • [T1003] Credential Dumping – Using tools like Mimikatz to extract credentials from compromised systems. “Using tools like Mimikatz to extract credentials from compromised systems.”
  • [T1071] Command and Control – Utilizing custom malware for communication and control of compromised systems. “Utilizing custom malware for communication and control of compromised systems.”
  • [T1053] Persistence – Setting up scheduled tasks to maintain access to compromised systems. “Setting up scheduled tasks to maintain access to compromised systems.”

Indicators of Compromise

  • [IP] IcePeony activity indicators – 165.22.211.62, 64.227.133.248, and 15 more items
  • [Domain] Attack domains – d45qomwkl.online, googlesvn.com, and 3 more items
  • [Hash] IceCache SHA256 values – 5b16d153, 484e2740, and 15 more items
  • [Hash] IceEvent SHA256 values – 80e83118, 9a0b0439, and 2 more items

Read more: https://nao-sec.org/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint