A long-term, Chinese state-sponsored cyber-espionage operation dubbed “Crimson Palace” has been unearthed by security researchers.
Targeting a prominent government entity in Southeast Asia, the operation was discovered during an investigation by the Sophos Managed Detection and Response (MDR) team, triggered by the detection of a DLL sideloading technique exploiting a VMware component, VMNat.exe.
The investigation, spanning from March 2023 to December 2023, revealed three distinct clusters of intrusion activity, named Cluster Alpha, Cluster Bravo and Cluster Charlie. These clusters were observed employing sophisticated evasion techniques and deploying various malware implants, including new variants like CCoreDoor, PocoProxy and an updated version of the EAGERBEE malware.
The Sophos analysis indicates that the campaign’s primary objective was to maintain prolonged access to the target network for espionage purposes, including collecting sensitive military and technical information, and deploying malware for command-and-control (C2) communications.
The research also suggests a high likelihood of coordination among the clusters, indicating a concerted effort orchestrated by a single entity.
“While Sophos identified three distinct patterns of behavior, the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and/or coordination between the clusters in the environment,” the company wrote.
The targeted organization’s limited visibility, due to partial deployment of Sophos endpoint protection, allowed the threat actors to operate stealthily within the network, with evidence suggesting access to unmanaged assets dating back to early 2022.
According to the advisory, the campaign’s infrastructure and techniques overlap with those of other Chinese state-sponsored threat actors, indicating a broader ecosystem of cyber-espionage.
“Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” Sophos wrote.
The company also confirmed it has shared indicators and insights from the Crimson Palace campaign to aid further research and assist defenders in disrupting related activities.