Operation Crimson Palace: A Technical Deep Dive

June 6, 2024, 8:20 a.m.

Description

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.

External References

https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv
https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv
https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv
https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv
https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv
https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/
https://otx.alienvault.com/pulse/66616b89c93e2fdea5783ecf
Tags
malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage

Date

  • Created: June 6, 2024, 7:55 a.m.
  • Published: June 6, 2024, 7:55 a.m.
  • Modified: June 6, 2024, 8:20 a.m.

Indicators

  • fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f
  • fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395
  • f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957
  • e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee
  • e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7
  • e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7
  • da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da
  • d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38
  • cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272
  • c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce
  • c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704
  • bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d
  • b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f
  • a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477
  • 9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88
  • 8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff
  • 8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7
  • 75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50
  • 776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f
  • 71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81
  • 6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b
  • 609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9
  • 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655
  • 58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d
  • 52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202
  • 5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b
  • 4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae
  • 4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0
  • 430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b
  • 3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53
  • 299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f
  • 2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504
  • 1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9
  • 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86
  • f830c3771d35237b4a63b946d7a0d187f5aaa4240e965d74070b7d72b6fba210
  • f682323a2c543abbe12c21a77ee93b49444381fa33f76c67363c84764ca4c675
  • cca5ae87cd710a8fbf994addb0abc8bf1deb222214d4831289885de23ca98924
  • c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0
  • b708dd11942c3e87a8987bdf83f7ea603425ae75fc25a306f54f1087df4198b4
  • 56f0c8047203147d9b9a888ebac8f33b14ae198182a13913a0f93652dfe2052a
  • 506b21588541243f3ddd5acb759bf20a3bf06fd2fea455066866154bc5e59721
  • 4ae29b8124f6221dab934ac04afed2acc8b17c6b35120d568bad8658cbca01c6
  • f788d5c2c1bb2d88db09b727b3841155daf43ba81802b5faffec72640451fa4f
  • ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65
  • c1d818f18c7160807d9031e024fcc6429476d6455221e3aa988c6245269fbcc8
  • ad346007f28c4b6d409c95f55e750e249db4b168cd7061baa128f826df948e10
  • a1a8adae91daa96deb01326c702fec388d0fa983f299de3f1bdb8a277df64423
  • 91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c
  • 7d6209036d370dbce7a0657f35dedeaa59c15fcfb4d696b9ebdd0fcc773dad50
  • 755b14ad83da2f2eff8ef8bf83ed74c6d96f6b3b3fde95d4c13d8cb75d861631
  • 62c9b97a849f40f4b5b167b96a54fa1ef03624ac8f2972b641af8ca5d00b5db0
  • 5f3fd50715aabf43cc6edb5f38026a3baa37a7fd7a17ae232fc65e186c83befb
  • 4fcbc598c5699ea48a1edd8dda065eab210f09ad900ab167cb5abdf9841dd2b7
  • 44e0c61f70f44e3a35ecde9b49a623973727d3aa68922ef4e1ff8dfc74795582
  • 3a85c36fff48b223f6edd722bc1603a1fd9b00d3e4d46a88151c4b1b696d90d1
  • 34294ff52899a63f2dc02e5a8f1488343afdb9702437d409a0869317ccfb4243
  • 1ad26a31c5387055610e053dbab8355e1371f89dfa37526f7a3341122526b719
  • edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f
  • dcc938af8fb2964a1f35adfb221de76ffc0bd0ccaac91455b3638fd4dc33e8c0
  • c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c
  • a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e
  • 92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2
  • 55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29
  • 0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c
  • f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b
  • e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064
  • e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d
  • c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6
  • c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e
  • bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c
  • b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1
  • 951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21
  • 9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78
  • 7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595
  • 68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8
  • 47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b
  • 2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d
  • 1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63
  • 173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd
  • 110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a
  • 0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76
  • 01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e
  • 66.42.56.233
  • 64.176.37.107
  • 45.9.191.183
  • 45.77.46.245
  • 45.15.143.151
  • 198.244.237.13
  • 192.142.18.25
  • 191.96.53.132
  • 178.128.221.202
  • 145.14.158.235
  • 141.136.44.219
  • 123.253.35.100
  • 103.56.5.224
  • 49.157.28.114
  • 192.142.18.27
  • 192.142.18.15
  • 107.148.41.114
  • 45.130.229.181
  • 185.201.8.187
  • 91.220.202.143
  • 89.44.197.74
  • 45.90.58.103
  • 185.195.237.121
  • 64.176.50.42
  • 195.123.247.50
  • 195.123.245.79
  • 185.82.217.164
  • 185.195.237.123
  • 185.167.116.30
  • 158.247.241.188
  • 154.39.137.29
  • 147.139.47.141
  • 146.190.93.250
  • 139.180.217.105
  • 139.162.18.97
  • www.hpupdate.net
  • https://www.hpupdate.net/us-en/drivers/printers
  • www.msudapis.info
  • www.googlespeedtest33.com
  • https://cloud.keepasses.com
  • test1.zhangliyong.cn
  • hpupdate.net
  • gsenergyspeedtest.com
  • gandeste.net
  • dmsz.org
  • cancelle.net
  • scancenter.trendrealtime.com
  • associate.freeonlinelearning.com
  • cloud.keepasses.com
  • cloud.gti.mc
  • associate.freeonlinelearningtech.com
  • associate.feedfoodconcerning.info
  • networkdevice.sc
  • msudapis.info
  • dnsspeedtest2022.com
  • message.ooguy.com
Download all indicators here!

Attack Patterns

  • PocoProxy
  • RUDEBIRD
  • PowHeartBeat
  • PhantomNet
  • CCoreDoor
  • EAGERBEE
  • NUPAKAGE
  • Cobalt Strike - S0154
  • Impersoni-Fake-Ator
  • Chinese state actors

Additional Informations

  • Government