- The 25+ best Black Friday Nintendo Switch deals 2024
- Why there could be a new AI chatbot champ by the time you read this
- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
- One of the best cheap Android phones I've tested is not a Motorola or Samsung
Chinese State-Sponsored Operation “Crimson Palace” Revealed
A long-term, Chinese state-sponsored cyber-espionage operation dubbed “Crimson Palace” has been unearthed by security researchers.
Targeting a prominent government entity in Southeast Asia, the operation was discovered during an investigation by the Sophos Managed Detection and Response (MDR) team, triggered by the detection of a DLL sideloading technique exploiting a VMware component, VMNat.exe.
The investigation, spanning from March 2023 to December 2023, revealed three distinct clusters of intrusion activity, named Cluster Alpha, Cluster Bravo and Cluster Charlie. These clusters were observed employing sophisticated evasion techniques and deploying various malware implants, including new variants like CCoreDoor, PocoProxy and an updated version of the EAGERBEE malware.
The Sophos analysis indicates that the campaign’s primary objective was to maintain prolonged access to the target network for espionage purposes, including collecting sensitive military and technical information, and deploying malware for command-and-control (C2) communications.
The research also suggests a high likelihood of coordination among the clusters, indicating a concerted effort orchestrated by a single entity.
“While Sophos identified three distinct patterns of behavior, the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and/or coordination between the clusters in the environment,” the company wrote.
The targeted organization’s limited visibility, due to partial deployment of Sophos endpoint protection, allowed the threat actors to operate stealthily within the network, with evidence suggesting access to unmanaged assets dating back to early 2022.
According to the advisory, the campaign’s infrastructure and techniques overlap with those of other Chinese state-sponsored threat actors, indicating a broader ecosystem of cyber-espionage.
“Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” Sophos wrote.
The company also confirmed it has shared indicators and insights from the Crimson Palace campaign to aid further research and assist defenders in disrupting related activities.