Crimson Palace (Trojan) – Malware

Overview

Sophos has recently unveiled a significant and complex cyber espionage operation, known as “Operation Crimson Palace,” which underscores the growing sophistication and scale of state-sponsored cyber threats. This operation, attributed to a Chinese state-backed group, was revealed through an in-depth investigation conducted by the Sophos Managed Detection and Response (MDR) team. The campaign, which primarily targeted a high-profile government organization in Southeast Asia, is marked by its use of advanced malware and innovative attack techniques, reflecting a high level of coordination and strategic intent by the threat actors involved.

The Crimson Palace operation, spanning from March to December 2023, was distinguished by its deployment of multiple, novel malware strains and sophisticated evasion methods. Sophos’s investigation identified three primary clusters of activity—Cluster Alpha, Cluster Bravo, and Cluster Charlie—each exhibiting distinct tactics while also demonstrating overlapping techniques that suggest a unified strategy. This sophisticated approach included the use of DLL sideloading exploits, advanced persistent malware such as CCoreDoor and PocoProxy, and other cutting-edge evasion tactics, aimed at infiltrating and maintaining unauthorized access to the target’s sensitive information.

The campaign’s intricate nature is further highlighted by its alignment with Chinese working hours and the strategic targeting of sensitive military and technical information, which aligns with broader geopolitical interests. The detailed analysis by Sophos not only reveals the technical aspects of the Crimson Palace operation but also emphasizes the evolving threat landscape of state-sponsored cyber espionage. The report underscores the importance of continuous monitoring and intelligence-sharing within the cybersecurity community to effectively counter such advanced and persistent threats.

Targets

Public Administration

How they operate

Initial Access and Execution

Crimson Palace often initiates its attack through phishing schemes or by exploiting vulnerabilities in public-facing applications. Once the initial access is established, the malware employs various execution techniques, including command-line interfaces and malicious file attachments. These methods ensure that the malware code is executed on the target system, enabling it to establish a foothold. The use of sophisticated obfuscation techniques and malicious scripts helps the malware evade detection and make its presence less noticeable.

Persistence and Privilege Escalation

To maintain long-term access, Crimson Palace utilizes persistence mechanisms such as creating new user accounts or modifying registry keys and startup folders. These techniques allow the malware to re-establish itself even after system reboots or other security measures. Privilege escalation is another critical aspect of the campaign; attackers exploit known vulnerabilities to gain elevated privileges, thereby expanding their control over the compromised systems.

Defense Evasion and Credential Access

The campaign employs various defense evasion strategies to avoid detection by security solutions. This includes obfuscating files and information, as well as exploiting DLL search order hijacking to execute malicious code covertly. Credential access is a key objective, with attackers utilizing techniques like credential dumping to extract sensitive information from compromised systems. This stolen data can then be used to facilitate further attacks or gain deeper access within the network.

Discovery and Lateral Movement

Crimson Palace operators conduct extensive discovery activities to map out the network and identify valuable targets. Techniques such as network service scanning and system information discovery are employed to gather details about the network infrastructure and connected devices. This information is crucial for lateral movement, allowing the attackers to use methods like Remote Desktop Protocol (RDP) or Windows Admin Shares to move across the network and compromise additional systems.

Collection and Exfiltration

The final stages of the campaign involve collecting and exfiltrating data from the compromised environment. Data is staged and prepared for exfiltration, often using the established command and control channels to transmit sensitive information out of the network. In some cases, the malware may also perform data destruction or resource hijacking to further impact the target organization.

MITRE Tactics and Techniques

Initial Access (TA0001):

Phishing (T1566): The campaign may use phishing emails or other social engineering techniques to deliver the initial payload.
Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in public-facing applications to gain access.

Execution (TA0002):

Command and Scripting Interpreter (T1059): Utilizing command-line interfaces or scripting languages to execute malicious code.
Malicious File (T1203): Executing malware delivered as a file attachment or download.

Persistence (TA0003):

Create Account (T1136): Creating new user accounts to maintain access.
Registry Run Keys / Startup Folder (T1060): Establishing persistence through registry modifications or startup folders.

Privilege Escalation (TA0004):

Exploitation of Vulnerability (T1203): Exploiting known vulnerabilities to gain elevated privileges.

Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): Employing various methods to obfuscate malware code and evade detection.
DLL Search Order Hijacking (T1038): Exploiting DLL loading mechanisms to load malicious code.

Credential Access (TA0006):

Credential Dumping (T1003): Attempting to extract credentials from systems.

Discovery (TA0007):

Network Service Scanning (T1046): Scanning the network to identify services and hosts.
System Information Discovery (T1082): Gathering detailed information about system configuration.

Lateral Movement (TA0008):

Remote Desktop Protocol (T1076): Using RDP for accessing and moving laterally across systems.
Windows Admin Shares (T1077): Exploiting administrative shares for lateral movement.

Collection (TA0009):

Data Staged (T1074): Collecting and staging data for exfiltration.
Input Capture (T1056): Capturing user inputs like keystrokes for data collection.

Exfiltration (TA0010):

Exfiltration Over Command and Control Channel (T1041): Sending collected data over the established command and control channel.

Impact (TA0011):

Data Destruction (T1485): Potentially deleting or corrupting data as part of the impact strategy.
Resource Hijacking (T1496): Using compromised systems for unauthorized purposes such as cryptocurrency mining.

References

• Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government