A suspected China-nexus cyber espionage actor, named “Velvet Ant,” has been targeting an unnamed organization in East Asia in a thre-year-long cyber espionage campaign, involving the PlugX malware. The group leveraged legacy F5 BIG-IP appliances as internal command-and-control (C&C) servers to evade detection.
Velvet Ant achieved persistence by establishing and maintaining multiple footholds within the victim company’s environment, one of which was the use a of an outdated F5 BIG-IP appliance, exposed to the internet and exploited as an internal C&C server. When one foothold was discovered and remediated, the threat actor quickly pivoted to another, according to cybersecurity firm Sygnia.
Velvet Ant's techniques included hijacking execution flow using methods such as DLL search order hijacking, Phantom DLL loading, and DLL side loading. After initial remediation efforts thwarted the attack, the threat actor targeted legacy operating systems, particularly Windows Server 2003 systems where Endpoint Detection and Response (EDR) products were not installed, and logging was limited.
Velvet Ant resumed activity by utilizing previously deployed malware that remained dormant for months. The group employed PlugX, a tool widely used by Chinese state-sponsored groups since 2008, designed to provide remote access to infected systems. The PlugX execution chain in this network consisted of three files: 'iviewers.exe' (a legitimate application called ‘OLE/COM Object Viewer’ from the Windows SDK), 'iviewers.dll' (the malicious PlugX DLL loader, loaded by ‘iviewers.exe’ via DLL search order hijacking) and 'iviewers.dll.ui' (the actual malicious payload, loaded by ‘iviewers.dll’).
When moving laterally to newer Windows versions, Velvet Ant tampered with the EDR product prior to installing PlugX. In one instance, the threat actor's attempt to disable the EDR product on a target workstation failed, leading to a decision not to proceed with PlugX installation. Impacket, an open-source collection of Python classes, was used for lateral tool transfer and remote code execution on hosts, specifically employing Impacket’s wmiexec.py for executing remote commands via Windows Management Instrumentation (WMI).
Days after eliminating Velvet Ant’s presence, the researchers detected new PlugX infections. Analysis revealed that there was no external C&C server configured. Instead, Velvet Ant reconfigured PlugX to use an internal file server as its C&C, blending the C&C traffic with legitimate internal network traffic.
This defense evasion technique indicated that Velvet Ant deployed two versions of PlugX within the network. The first version, with an external C&C server, was installed on endpoints with direct internet access for exfiltrating sensitive information. The second version, lacking a C&C, was deployed exclusively on legacy servers.