17 June 2024

Suspected Chinese espionage actor targeted East Asian org using legacy F5 BIG-IP devices


Suspected Chinese espionage actor targeted East Asian org using legacy F5 BIG-IP devices

A suspected China-nexus cyber espionage actor, named “Velvet Ant,” has been targeting an unnamed organization in East Asia in a thre-year-long cyber espionage campaign, involving the PlugX malware. The group leveraged legacy F5 BIG-IP appliances as internal command-and-control (C&C) servers to evade detection.

Velvet Ant achieved persistence by establishing and maintaining multiple footholds within the victim company’s environment, one of which was the use a of an outdated F5 BIG-IP appliance, exposed to the internet and exploited as an internal C&C server. When one foothold was discovered and remediated, the threat actor quickly pivoted to another, according to cybersecurity firm Sygnia.

Velvet Ant's techniques included hijacking execution flow using methods such as DLL search order hijacking, Phantom DLL loading, and DLL side loading. After initial remediation efforts thwarted the attack, the threat actor targeted legacy operating systems, particularly Windows Server 2003 systems where Endpoint Detection and Response (EDR) products were not installed, and logging was limited.

Velvet Ant resumed activity by utilizing previously deployed malware that remained dormant for months. The group employed PlugX, a tool widely used by Chinese state-sponsored groups since 2008, designed to provide remote access to infected systems. The PlugX execution chain in this network consisted of three files: 'iviewers.exe' (a legitimate application called ‘OLE/COM Object Viewer’ from the Windows SDK), 'iviewers.dll' (the malicious PlugX DLL loader, loaded by ‘iviewers.exe’ via DLL search order hijacking) and 'iviewers.dll.ui' (the actual malicious payload, loaded by ‘iviewers.dll’).

When moving laterally to newer Windows versions, Velvet Ant tampered with the EDR product prior to installing PlugX. In one instance, the threat actor's attempt to disable the EDR product on a target workstation failed, leading to a decision not to proceed with PlugX installation. Impacket, an open-source collection of Python classes, was used for lateral tool transfer and remote code execution on hosts, specifically employing Impacket’s wmiexec.py for executing remote commands via Windows Management Instrumentation (WMI).

Days after eliminating Velvet Ant’s presence, the researchers detected new PlugX infections. Analysis revealed that there was no external C&C server configured. Instead, Velvet Ant reconfigured PlugX to use an internal file server as its C&C, blending the C&C traffic with legitimate internal network traffic.

This defense evasion technique indicated that Velvet Ant deployed two versions of PlugX within the network. The first version, with an external C&C server, was installed on endpoints with direct internet access for exfiltrating sensitive information. The second version, lacking a C&C, was deployed exclusively on legacy servers.


Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024