Threat Research

Operation Crimson Palace: A Technical Deep Dive

Sophos

Sophos MDR’s threat hunt across customers uncovered a large-scale cyberespionage campaign targeting a high-profile Southeast Asian government organization, with three distinct clusters (Alpha, Bravo, Charlie) attributed to Chinese state interests. The operation combined DLL side-loading, DLL stitching, LOLBins, C2 frameworks (Merlin, PhantomNet), credential access, discovery, lateral movement, persistence, and data exfiltration across multiple stages and tools. #CrimsonPalace #MerlinC2 #PhantomNet #EAGERBEE #RUDEBIRD #BackdoorDiplomacy #EarthPreta #PocoProxy #CCoreDoor

Keypoints

  • Threat-hunting activity spanned multiple clusters (Alpha, Bravo, Charlie) linked to Chinese-state interests and active from 2023, with earlier compromises dating back to 2022.
  • Initial abuse of a legitimate VMware executable vmnat.exe triggered a MDR threat hunt and led to broader telemetry-derived discoveries.
  • Prior compromises include a March 2022 NUPAKAGE detection and December 2022 DLL-stitching that deployed backdoors (swprvs.dll, appmgmt.dll) and a Stowaway-based payload.
  • Cluster Alpha focuses on credential access (SAM hive dump), discovery, and extensive domain enumeration, then moves laterally and establishes C2 via Merlin/PhantomNet backdoors.
  • Cluster Bravo centers on LSASS memory dumping, WMI and PowerShell-enabled discovery, and aggressive defense evasion such as unhooking the ntdll.dll to bypass protections.
  • Cluster Charlie emphasizes PocoProxy-based lateral movement, Runas for privilege escalation, scheduled tasks for persistence, and exfiltration of highly sensitive data, including credentials and device configs.
  • Defense-evasion advances include new EAGERBEE variants that modify network packets to disable detection, plus DLL hijacking/sideloading techniques and indicator-removal efforts.

MITRE Techniques

  • [T1574.002] Hijack Execution Flow – DLL Side-loading – DLL-stitching used to obfuscate and deploy two malicious backdoors on target domain controllers, with swprvs.dll and appmgmt.dll replacing legitimate DLLs. Quote: “…DLL-stitching was used to obfuscate and deploy two malicious backdoors on target domain controllers.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Rundll32.exe used to load and execute payloads (e.g., c:windowsvsswritersapplication443.txt,Update) via DLLs. Quote: “rundll32.exe c:windowsvsswritersapplication443.txt,Update”
  • [T1021.002] Remote Services – SMB/Windows Admin Shares – Lateral movement performed via net use and wmic commands across machines using valid credentials. Quote: “net use 172.xx… wmic /node:… /user:… /password:… process call create ‘c:programdatavmnatvmtoolsvmnat.exe’ “
  • [T1071.001] Web Protocols – C2 communications over web protocols (Merlin C2 Agent deployed via vmnat.dll with cloud.keepasses[.]com as the domain). Quote: “communications with the domain cloud.keepasses[.]com” and “https://cloud.keepasses[.]com:443;29s”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration activities (highly sensitive documents, credentials, and configs) via C2 channels. Quote: “collect and exfiltrate a trove of highly sensitive information”
  • [T1059.001] PowerShell – Use of Get-UserLogon and Get-EventLog for discovery and collection. Quote: “leveraged PowerShell modules, such as Get-UserLogon and Get-EventLog to enumerate discovery information.”
  • [T1059.003] Windows Command Shell – Extensive use of cmd.exe and shell/script execution (e.g., “cmd.exe /C powershell -command …”). Quote: “cmd.exe /C powershell -command”
  • [T1059.005] VBScript – VBScript-based execution via WScript (e.g., 3.vbs triggering backdoor). Quote: “Using WScript to run a vbscript (vbs | 3.vbs) that executed the backdoor on various systems”
  • [T1053.005] Scheduled Task – Lateral movement/persistence via scheduled tasks to run implants (e.g., Packages.exe, 3.bat, etc.). Quote: “scheduled tasks to execute the renamed mscorsvw.exe binary”
  • [T1543.003] Windows Service – Service creation/persistence via instsrv.exe and srvany.exe to run vmnat.exe as a service. Quote: “two uncommon LOLBins – instsrv.exe and srvany.exe – to create a service”
  • [T1059.004] Scripting – VBScript/WScript-based execution alongside VBScript-driven backdoors. Quote: “Using WScript to run a vbscript”
  • [T1562.001] Defense Evasion – Unhooking ntdll.dll to bypass the endpoint protection agent by overwriting in memory. Quote: “unhook the Sophos endpoint protection agent process from the kernel by overwriting ntdll.dll in memory”
  • [T1560.001] Archive Collected Data – Compression/archiving of collected data (RAR) for exfiltration. Quote: “rar.dat a -m5 ff.rar *.txt”

Indicators of Compromise

  • [IP Address] – 195.123.247.50, 185.195.237.123, and 139.162.18.97 (C2 and delivery addresses used in various clusters)
  • [IP Address] – 104.21.3.57, 64.176.50.42, 158.247.241.188 (additional C2 or payload delivery endpoints)
  • [Domain] – cloud.keepasses[.]com; msudapis[.]info; associate.feedfoodconcerning[.]info; associate.freeonlinelearningtech[.]com
  • [Domain] – vortex.data.microsoft.com; ksn-a-stat-geo.kaspersky-labs.com; realprotect1.mcafee.com (security/vendor-related domains)
  • [File name] – vmnat.exe; swprvs.dll; appmgmt.dll; swprv.dll; SensAPI.dll; MSI64.exe; PhantomNet samples (sslwnd64.exe, oci.dll, nethood.exe)
  • [File name] – 443.txt; 4413.txt; chrome.log; aaaa.txt; 4413.txt; 11.log
  • [C2 Hosts] – message.ooguy[.]com:443; msudapis[.]info; associate.* domains; 195.237.123/187. Etc. (examples shown in narrative)

Read more: https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint