New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
Cybersecurity researchers have discovered a previously unreported threat cluster called OP-512 (where “OP” stands for “adversary”) that has been observed targeting Microsoft Internet Information Services (IIS) servers to issue a web shell exploit.
ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.
“OP-512 may be conducting espionage using an Internet Information Services (IIS) web server at the risk of an organization whose sector and country align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News.
Although no overlap was found between OP-512 and other known China-aligned adversaries, it is the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to target IIS web servers in the past 12 months. As recently as last month, Cisco Talos revealed that many Chinese-speaking cybercriminal groups are sharing a malware called BadIIS to infect IIS servers.
IIS servers were also targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia.
Key to OP-512 functionality is a custom webshell framework that includes three webshells that give attackers remote access to a vulnerable host, while taking steps to avoid signature-based detection and complicate forensic timelines using techniques such as time-skipping to deliberately use timestamps when webshell artifacts are created or modified.
Specifically, this involves scanning the entire file and subfolder where the web shells are located, calculating the average last modified timestamp, and overwriting their creation and modification times to match that value, thus giving the impression that they’ve been around for a long time.
“This framework combines capabilities that we rarely see together: each shipment is generated differently, access is limited to the attacker using cryptographic controls, and compromised servers are automatically reported with centralized management at scale,” said ReliaQuest.
OP-512 shares a close proximity with CL-STA-0048, which suggested that it may represent an existing cluster that completely modified the tool set or developed these capabilities independently. Regardless of its origin, a hacking group is said to be a distinct group that operates independently.
In an attack seen by a cybersecurity firm, a threat actor was found to be targeting a legacy IIS server running Windows Server 2016 with the end-of-life .NET Framework 4.0. There is evidence of previous activity on the same host, about 75 days before the big event. This involved DNS queries to a different attacker-controlled domain (“ashx.lhlsjcb[.]com”).
A sequence of actions that occurred weeks later was described as a “sprint,” an attacker using a web server worker process (“w3wp.exe”) to drop one of the web shells into the application’s loading directory. This, in turn, triggers a self-reporting mechanism that uses a DNS query or HTTP request in return to forward the web shell’s location to a domain controlled by the attacker.
“Together, the three web shells provided the attacker with file management, authenticated command execution with two independent access methods, and automatic regression reporting, all before anyone had time to react,” explained ReliaQuest researchers.
Through the use of web shells, OP-512 allegedly attempted to elevate privileges to the SYSTEM level using Potato Suite, followed by using commands such as “whoami /priv” to verify their system privileges.
“Four China-linked clusters targeting the same technology in less than a year is unlikely to be a coincidence,” ReliaQuest said. “Internet-facing IIS servers running legacy, unsupported software remain a popular entry point throughout this threat ecosystem and show no signs of slowing down.”
“What should be of most concern to defenders is what makes OP-512 unique. This threat suite does not use proprietary tools and recycles them across campaigns. It uses a purpose-built framework designed to defeat the detection methods that work against the other three suites. Organizations that have adjusted their defenses against known actors are likely not included here.”
