- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Chinese State-Sponsored Operation “Crimson Palace” Revealed
A long-term, Chinese state-sponsored cyber-espionage operation dubbed “Crimson Palace” has been unearthed by security researchers.
Targeting a prominent government entity in Southeast Asia, the operation was discovered during an investigation by the Sophos Managed Detection and Response (MDR) team, triggered by the detection of a DLL sideloading technique exploiting a VMware component, VMNat.exe.
The investigation, spanning from March 2023 to December 2023, revealed three distinct clusters of intrusion activity, named Cluster Alpha, Cluster Bravo and Cluster Charlie. These clusters were observed employing sophisticated evasion techniques and deploying various malware implants, including new variants like CCoreDoor, PocoProxy and an updated version of the EAGERBEE malware.
The Sophos analysis indicates that the campaign’s primary objective was to maintain prolonged access to the target network for espionage purposes, including collecting sensitive military and technical information, and deploying malware for command-and-control (C2) communications.
The research also suggests a high likelihood of coordination among the clusters, indicating a concerted effort orchestrated by a single entity.
“While Sophos identified three distinct patterns of behavior, the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and/or coordination between the clusters in the environment,” the company wrote.
The targeted organization’s limited visibility, due to partial deployment of Sophos endpoint protection, allowed the threat actors to operate stealthily within the network, with evidence suggesting access to unmanaged assets dating back to early 2022.
According to the advisory, the campaign’s infrastructure and techniques overlap with those of other Chinese state-sponsored threat actors, indicating a broader ecosystem of cyber-espionage.
“Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” Sophos wrote.
The company also confirmed it has shared indicators and insights from the Crimson Palace campaign to aid further research and assist defenders in disrupting related activities.
