Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

As part of a multi-year campaign, a Chinese threat actor has targeted high-value organizations in South, Southeast, and East Asia. Palo Alto Networks Unit 42 has linked the activity—which has targeted the aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors—to an unidentified threat activity group known as CL-UNK-1068, where "CL" stands for "cluster" and "UNK" for "unknown motivation." Nonetheless, the security vendor has determined with "moderate-to-high confidence" that cyber espionage is the campaign's main goal.

According to security researcher Tom Fakterman, "Our analysis reveals a multifaceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs)."

"These give the attackers a quick and easy way to stay active in the targeted environments." The adversary uses a variety of open-source tools and malware families, including Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP), which have all been used by different Chinese hacking groups. The tools are intended to target both Windows and Linux environments.

Godzilla and ANTSWORD are both web shells, but Xnote is a Linux backdoor that has been found in the wild since 2015. Earth Berberoka, also known as GamblingPuppet, is an adversarial collective that uses Xnote to attack online gambling sites.

Typical attack chains entail the exploitation of web servers to deliver web shells and move laterally to other hosts, followed by attempts to steal files matching certain extensions ("web.config," ".aspx," ".asmx," ".asax," and ".dll") from the "c:\inetpub\wwwroot" directory of a Windows web server likely in an attempt to steal credentials or discover vulnerabilities. Other files harvested by CL-UNK-1068 include web browser history and bookmarks, XLSX and CSV files from desktops and USER directories, and database backup (.bak) files from MS-SQL servers. In an interesting twist, the threat actors have been observed using WinRAR to archive the relevant files, Base64-encoding the archives by executing the certutil -encode command, and then running the type command to print the Base64 content to their screen through the web shell.

According to Unit 42, "the attackers were able to exfiltrate data without actually uploading any files by encoding the archives as text and printing them to their screen." "The shell on the host allowed them to run commands and view output, but not to directly transfer files, which is probably why the attackers chose this method." The use of legitimate Python executables ("python.exe" and "pythonw.exe") to initiate DLL side-loading attacks and covertly run malicious DLLs, such as FRP for persistent access, PrintSpoofer, and a Go-based custom scanner called ScanPortPlus, is one method used in these attacks.

Additionally, it is reported that as early as 2020, CL-UNK-1068 was conducting reconnaissance using a unique.NET tool called SuperDump.

Recent intrusions have switched to a new approach that maps the local environment and gathers host data using batch scripts. The adversary also uses a variety of tools to enable credential theft, such as Volatility Framework to extract password hashes from memory SQL Server Management Studio Password Export Tool to extract the contents of "sqlstudio.bin," which stores connection information for Microsoft SQL Server Management Studio (SSMS), and Mimikatz to dump passwords from memory LsaRecorder to hook LsaApLogonUserEx2 to record the WinLogon password DumpItForLinux. "This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system.

We cannot yet completely rule out cybercriminal intentions, even though the emphasis on credential theft and sensitive data exfiltration from government and critical infrastructure sectors strongly suggests an espionage motive."