Threat Research

Crimson Palace Reimagined: Fresh Tools, Strategies, and Objectives

Sophos

Sophos X-Ops identifies Operation Crimson Palace as a Chinese state-directed cyberespionage operation targeting a Southeast Asian government agency, with multiple threat clusters and a newly observed keylogger named “TattleTale.” The attackers show adaptability through DLL sideloading, web shells, open-source tools, and rapid cycling of C2 channels to evade detection. #TattleTale #ClusterCharlie

Keypoints

  • Operation Crimson Palace targets a Southeast Asian government agency and associated organizations.
  • Three threat activity clusters (Cluster Alpha, Bravo, Charlie) were identified, with ongoing operations since March 2023.
  • Cluster Charlie resumed activity in September 2023, introducing a new keylogger named “TattleTale.”
  • Attackers utilized compromised networks to deliver malware and tools, maintaining a focus on evasion and persistence.
  • Various open-source and off-the-shelf tools were employed, including Cobalt Strike, Havoc, and SharpHound.
  • DLL sideloading and service hijacking were common tactics observed in the attacks.
  • In 2024, the actors rapidly cycled through C2 channels and deployment methods to evade detection.

MITRE Techniques

  • [T1003] Credential Dumping – Brief description of how it was used. ‘“Techniques include capturing administrator credentials and data for specific users.”’
  • [T1071] Command and Control – Brief description of how it was used. ‘“Utilization of various C2 frameworks such as Havoc and XiebroC2.”’
  • [T1041] Exfiltration Over Command and Control Channel – Brief description of how it was used. ‘“Data exfiltration efforts observed during the operation.”’
  • [T1105] Remote File Copy – Brief description of how it was used. ‘“Use of tools like Impacket for lateral movement and file transfers.”’
  • [T1218.011] DLL Side-Loading – Brief description of how it was used. ‘“Deployment of malicious DLLs through legitimate processes.”’
  • [T1100] Web Shell – Brief description of how it was used. ‘“Deployment of web shells on compromised web application servers.”’
  • [T1055] Process Injection – Brief description of how it was used. ‘“Injecting malicious payloads into legitimate processes for evasion.”’
  • [T1486] Data Encrypted for Impact – Brief description of how it was used. ‘“Potential use of encryption to obfuscate exfiltrated data.”’

Indicators of Compromise

  • [IP Address] context – 103.19.16.248:443 // dmsz.org (geolocated in Philippines), 107.148.41.114 (US) – observed as C2 beaconing and exfiltration traffic
  • [Domain] context – dmsz.org, cancelle.net, gandeste.net, gsenergyspeedtest.com
  • [File/DLL] context – swprv.dll, mscorsvw.dll, log.ini, tmpblglog.dll, log.bin, pp.exe, log.dat

Read more: https://news.sophos.com/en-us/2024/09/10/crimson-palace-new-tools-tactics-targets/