Web Server Exploits and Mimikatz Used in Attacks Against Asia’s Critical Infrastructure
High-value organizations located in South, Southeast, and East Asia have been targeted by the Chinese threat actor as part of a multi-year campaign.
The project, which targets the aerospace, energy, government, law enforcement, pharmaceutical, technology, and telecommunications industries, was cited by Palo Alto Networks Unit 42 as a group of previously undocumented threats. CL-UNK-1068where “CL” stands for “collection” and “UNK” stands for unknown motive.
However, the security vendor assessed with “moderate to high confidence” that the primary purpose of the campaign was cyber espionage.
“Our analysis reveals a multi-faceted tool set that includes malware, modified open source tools, and off-the-ground binaries (LOLBINs),” said security researcher Tom Fakterman. “This provides a simple, effective way for attackers to maintain a continuous presence between target locations.”
The tools are designed to target both Windows and Linux environments, and the adversary relies on a mix of open source resources and malware families such as Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP), all of which have been used by various Chinese hacking groups.
While both Godzilla and ANTSWORD work as web shells, Xnote is a Linux backdoor discovered in the wild since 2015 and used by a dissident group known as Earth Berberoka (aka GamblingPuppet) in attacks targeting online gambling sites.
Common attack chains include the exploitation of web servers to deliver web shells and bypass other hosts, followed by attempts to steal files such as certain extensions (“web.config,” “.aspx,” “.asmx,” “.asax,” and “.dll”) from the directory “c:inetpubwwwroot” for a Windows authentication attempt or possibly confidential information from the web server’s information.
Other files harvested by CL-UNK-1068 include web browser history and bookmarks, XLSX and CSV files from desktops and USER directories, and database backup files (.bak) from MS-SQL servers.
In an interesting way, malicious actors have been seen using WinRAR to store the relevant files, Base64-encoding the archives by executing the certutil -encode command, and then using the type command to print the Base64 content on their screen via a web shell.
“By encoding the caches as text and printing them on their screen, the attackers were able to extract data without uploading the files,” said Unit 42. “The attackers may have chosen this method because the shell on the host allowed them to run commands and view the output, but not to transfer files directly.”
One of the methods used in this attack is the use of legitimate Python implementations (“python.exe” and “pythonw.exe”) to launch DLL sideloading attacks and sneak malicious DLLs, including FRP for persistent access, PrintSpoofer, and a custom Go-based scanner called ScanPortPlus.
CL-UNK-1068 is also said to be involved in retesting efforts using a custom .NET tool named SuperDump as of 2020. Recent interventions have shifted to a new approach that uses cluster documents to gather host information and map the local area.
Also used by the enemy are a variety of tools to facilitate data theft –
“Using primarily open-source tools, malware and cluster scripts, the group has maintained covert operations while infiltrating sensitive organizations,” Unit 42 concluded.
“This group of work shows flexibility by working in both Windows and Linux environments, using different versions of their tools set up for each operating system. Although the focus on the theft of sensitive information and the extraction of sensitive data from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intent.”
