Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia

A trio of threat activity clusters connected to China has been spotted compromising additional government institutions in Southeast Asia as part of a revived state-sponsored operation nicknamed Crimson Palace, suggesting an increase in the breadth of the espionage campaign.

Cybersecurity company Sophos, which has been monitoring the cyber attack, said it involves three intrusion sets identified as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an acronym for "security threat activity cluster."

"The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point," security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.

A significant component of the assaults is that it comprises the use of an unknown organization's networks as a command-and-control (C2) relay point and a staging ground for tools. A second organization's hacked Microsoft Exchange Server is believed to have been leveraged to host malware.

Crimson Palace was initially reported by the cybersecurity organization in early June 2024, with the assaults taking place between March 2023 and April 2024.

While initial activity linked with Cluster Bravo, which overlaps with a threat group named Unfading Sea Haze, was restricted to March 2023, a second assault wave reported between January and June 2024 has been recorded targeting 11 additional organizations and agencies in the same area.

A set of new attacks orchestrated by Cluster Charlie, a cluster that's referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of different C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.

"Exfiltration of data of intelligence value was still an objective after the resumption of activity," the researchers added. "However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked."

Another notable component is Cluster Charlie's substantial dependence on DLL hijacking to execute malware, a method previously taken by threat actors behind Cluster Alpha, suggesting a "cross-pollination" of approaches.

Some of the other open-source tools employed by the threat actor include RealBlindingEDR and Alcatraz, which enable for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an intent to fly under the radar.

Rounding out the cluster's malware arsenal is a previously undisclosed keylogger nicknamed TattleTale that was initially found in August 2023 and is capable of gathering Google Chrome and Microsoft Edge browser data.

"The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user," the researchers added.

"TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords."

In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: Infiltrating target environments and conducting reconnaissance (Alpha), burrowing deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).

"Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices," the researchers found. "As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations."