Keypoints
- Insidious Taurus (Volt Typhoon) is assessed as a state-sponsored PRC actor focused on long-term access to U.S. critical infrastructure.
- The group obtains initial access by exploiting internet-facing network appliances and known/zero-day vulnerabilities (e.g., CVE-2021-40539 in Zoho ADSelfService Plus).
- They use compromised SOHO devices and the KV-botnet as intermediate infrastructure to obscure origin and relay traffic.
- Malware and tools observed include SockDetour (backup backdoor), EarthWorm, custom Impacket builds, and Fast Reverse Proxy (frp) binaries for tunneling.
- Operators favor living-off-the-land activity (built-in admin tools like netsh, WMIC, and manual hands-on-keyboard actions) and focus on acquiring administrator credentials.
- Unit 42 provides detection/hunting queries for netsh PortProxy usage, PortProxy registry key creation, WMIC disk queries, ntdsutil IFM activity, Impacket/wmiexec patterns, and multiple file/process SHA256 hashes.
- Recommended mitigations include patching internet-facing devices, hardening remote access, multifactor authentication, network segmentation, and enhanced logging and hunting.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used for initial access by exploiting internet-facing appliances (e.g., ‘…using a then-undisclosed Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) for initial access.’)
- [T1078] Valid Accounts – Focus on gaining administrator credentials within victim environments (‘…a focus on gaining administrator credentials within a victim environment.’)
- [T1059] Command and Scripting Interpreter – Abuse of cmd.exe/netsh and other native shells for commands like netsh PortProxy (‘…netsh interface portproxy add v4tov4’).
- [T1112] Modify Registry – Creation/modification of PortProxy registry keys to enable port forwarding (‘…HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPortProxyv4tov4tcp’).
- [T1047] Windows Management Instrumentation (WMI) – Use of WMI/wmiprvse.exe and Impacket’s wmiexec to run remote commands (‘…instances of cmd.exe being spawned with arguments consistent with the usage of Impacket’s Wmiexec’).
- [T1082] System Information Discovery – Use of WMIC to enumerate disk and system information (‘…path win32_logicaldisk get caption,filesystem,freespace,size,volumename’).
- [T1003.003] OS Credential Dumping: NTDS – Attempts to dump NTDS.dit via ntdsutil IFM to extract Active Directory data (‘…attempts to dump NTDS.dit to disk via Ntdsutil IFM command’).
- [T1090] Proxy – Use of Fast Reverse Proxy (frp) binaries and chained SOHO devices to tunnel/relay traffic and obscure origin (‘…Fast Reverse Proxy (frp) binaries’ and using compromised SOHO devices as intermediate infrastructure’).
- [TA0006] Living off the Land – Reliance on legitimate admin tools and manual operator activity to evade detection (‘…living off the land techniques’ and ‘using built-in network administration tools to perform objectives’).
Indicators of Compromise
- [File hashes] Process and file SHA256 examples observed in hunting queries – f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd, ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31, and 20+ more hashes (includes malware and frp binaries).
- [Malware/tool names] Observed custom and open-source tools – SockDetour (backup backdoor), EarthWorm, Impacket builds, Fast Reverse Proxy (frp), and additional frp binaries.
- [Vulnerability] Exploited CVE example used for initial access – CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus).
- [Botnet/infrastructure] Compromised device network usage – KV-botnet used to chain SOHO devices as covert relays.
- [Registry/Commands] Detection artifacts and commands to hunt for – ‘netsh interface portproxy add v4tov4’, registry key ‘HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPortProxyv4tov4tcp’, WMIC command ‘path win32_logicaldisk get caption,filesystem,freespace,size,volumename’, and ntdsutil commands like ‘activate instance ntds’ + ‘create full’.
- [File names/paths] Targeted/mentioned file store and dumps – NTDS.dit (Active Directory database) and example malware drop/write events recorded in file-write hunting queries.
Unit 42’s technical procedure focuses on initial exploitation of internet-facing appliances (including known CVEs and custom zero-days) to gain a foothold, then establishing persistence with backdoors such as SockDetour, custom Impacket tools, EarthWorm, and Fast Reverse Proxy (frp) binaries. Operators frequently avoid noisy automated techniques: they favor manual hands-on-keyboard activity, living-off-the-land use of native admin utilities (netsh, WMIC, cmd.exe/WMI), and use of compromised SOHO devices or the KV-botnet to relay command-and-control and obscure origin.
After initial access, the group escalates privileges and seeks administrator credentials (valid accounts) and domain data through techniques like NTDS extraction (ntdsutil IFM to create full copies of NTDS.dit). They use WMI/Impacket (wmiexec) for remote command execution and lateral movement, and configure port forwarding/proxies (netsh PortProxy plus registry modifications) and frp tunnels to enable remote access through intermediate devices. Detection guidance included clear telemetry-focused hunts: netsh PortProxy command lines, PortProxy registry key creation, WMIC disk enumeration commands, ntdsutil IFM creation commands, Impacket/wmiexec cmd.exe spawn patterns, and matching process/file SHA256 values for known malicious binaries.
Operational recommendations for defenders are to patch and remove unsupported SOHO/internet-exposed appliances, harden remote access (limit and monitor port forwarding and proxies), enforce MFA and least privilege, enable detailed logging to catch living-off-the-land activity, and deploy targeted hunts using the provided queries and IOCs (hashes, command/registry indicators, and toolnames) to identify and remediate compromise. Read more: https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/