Crimson Palace Returns: Chinese State-Sponsored Cyber Espionage Operation Escalates with New Tools and Targets

Crimson Palace - Cluster Bravo

After a brief hiatus, the Crimson Palace operation, a Chinese state-directed cyber espionage campaign, has resurfaced, armed with new tactics and an expanded target list. According to the latest report from Sophos X-Ops, the operation, which primarily targets government entities in Southeast Asia, has re-emerged with a sophisticated arsenal of tools and techniques. The attackers are deploying novel malware and leveraging compromised networks to extend their foothold in the region.

One of the key components of the Crimson Palace operation is Cluster Charlie, a group that went dormant in August 2023 after Sophos successfully blocked its command-and-control (C2) tools. However, by September, the group had returned, adopting new strategies to evade detection. Among these is a previously undocumented keylogger named “TattleTale,” marking the beginning of a renewed phase of attacks.

Sophos’ Managed Detection and Response (MDR) teams have tracked a significant uptick in malicious activity from this cluster, including data exfiltration and advanced techniques aimed at evading endpoint detection and response (EDR) tools. Using open-source and off-the-shelf tools, the attackers have rapidly re-established their presence in several organizations, showcasing their ability to adapt and evolve.

Cluster Charlie’s comeback saw the use of a variety of tools and tactics to reassert control over targeted networks. They utilized web shells and custom malware loaders, such as the Havoc C2 framework, to inject malicious payloads into systems and bypass defenses. The attackers also shifted to DLL hijacking and sideloading tactics, abusing legitimate software to execute their malware under the radar of security systems.

One of the key findings in the report is the cross-pollination of tactics between the threat clusters involved in the operation. Cluster Charlie, for example, employed methods previously observed in Cluster Bravo and Cluster Alpha, underscoring the coordinated nature of the broader campaign.

Sophos’ analysis revealed that the attackers strategically exploited government and public service networks within the same region to stage their attacks. These networks served as trusted access points for delivering malware, a method that increased the success rate of their intrusions. In some cases, compromised Microsoft Exchange servers were used as staging grounds for further malware deployment.

The scope of the attacks is broad, impacting not only government agencies but also private organizations with government affiliations. The targeted entities span critical sectors, further highlighting the national security implications of the operation.

Another key development is the resurgence of Cluster Bravo, which was briefly active in early 2023. In the new phase of activity, Cluster Bravo has been observed on the networks of at least 11 additional organizations, leveraging compromised infrastructure for malware staging. This includes two private organizations with close government ties, suggesting that the attackers are broadening their focus.

From January to June 2024, Cluster Bravo launched attacks on a wide array of organizations, consistently using precise targeting methods to deploy malware. Their tactics involved carefully selecting compromised entities within the same vertical to host malicious tools, ensuring minimal detection and disruption to their operations.

The return of Cluster Charlie also introduced new efforts to evade security measures. The group employed web shells to take over web application servers, allowing them to execute commands remotely. The attackers injected malicious payloads into DLLs disguised as legitimate files, continuing their efforts to bypass EDR software. Notably, they leveraged the SharpHound tool for Active Directory mapping, gaining a deeper understanding of the network’s structure to facilitate lateral movement and data exfiltration.

The report details how the attackers cycled through 28 unique combinations of C2 implants, shellcode loaders, and execution methods between November 2023 and May 2024, an effort to test and evade Sophos’ detection capabilities. The use of RealBlindingEDR, a tool designed to disable EDR products, exemplifies the group’s commitment to avoiding detection at all costs.

The Crimson Palace operation shows no signs of slowing down. The sophistication of the techniques employed, combined with the attackers’ adaptability, suggests that organizations in Southeast Asia, particularly those in government and critical infrastructure sectors, will remain in the crosshairs of these cyber espionage efforts.

Related Posts: