Back

Operation Crimson Palace: A Technical Deep Dive

June 6, 2024, 8:20 a.m.

Tags

malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage

External References

https://raw.githubusercontent.com/

https://raw.githubusercontent.com/

https://raw.githubusercontent.com/

https://raw.githubusercontent.com/

https://raw.githubusercontent.com/

https://news.sophos.com/

https://otx.alienvault.com/

Description

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.

Date

Published Created Modified
June 6, 2024, 7:55 a.m. June 6, 2024, 7:55 a.m. June 6, 2024, 8:20 a.m.

Indicators

fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f

fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395

f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957

e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee

e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7

e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7

da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da

d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38

cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272

c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce

c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704

bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d

b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f

a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477

9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88

8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff

8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7

75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50

776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f

71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81

6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b

609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9

5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655

58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d

52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202

5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b

4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae

4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0

430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b

3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53

299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f

2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504

1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9

101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86

f830c3771d35237b4a63b946d7a0d187f5aaa4240e965d74070b7d72b6fba210

f682323a2c543abbe12c21a77ee93b49444381fa33f76c67363c84764ca4c675

cca5ae87cd710a8fbf994addb0abc8bf1deb222214d4831289885de23ca98924

c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0

b708dd11942c3e87a8987bdf83f7ea603425ae75fc25a306f54f1087df4198b4

56f0c8047203147d9b9a888ebac8f33b14ae198182a13913a0f93652dfe2052a

506b21588541243f3ddd5acb759bf20a3bf06fd2fea455066866154bc5e59721

4ae29b8124f6221dab934ac04afed2acc8b17c6b35120d568bad8658cbca01c6

f788d5c2c1bb2d88db09b727b3841155daf43ba81802b5faffec72640451fa4f

ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65

c1d818f18c7160807d9031e024fcc6429476d6455221e3aa988c6245269fbcc8

ad346007f28c4b6d409c95f55e750e249db4b168cd7061baa128f826df948e10

a1a8adae91daa96deb01326c702fec388d0fa983f299de3f1bdb8a277df64423

91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c

7d6209036d370dbce7a0657f35dedeaa59c15fcfb4d696b9ebdd0fcc773dad50

755b14ad83da2f2eff8ef8bf83ed74c6d96f6b3b3fde95d4c13d8cb75d861631

62c9b97a849f40f4b5b167b96a54fa1ef03624ac8f2972b641af8ca5d00b5db0

5f3fd50715aabf43cc6edb5f38026a3baa37a7fd7a17ae232fc65e186c83befb

4fcbc598c5699ea48a1edd8dda065eab210f09ad900ab167cb5abdf9841dd2b7

44e0c61f70f44e3a35ecde9b49a623973727d3aa68922ef4e1ff8dfc74795582

3a85c36fff48b223f6edd722bc1603a1fd9b00d3e4d46a88151c4b1b696d90d1

34294ff52899a63f2dc02e5a8f1488343afdb9702437d409a0869317ccfb4243

1ad26a31c5387055610e053dbab8355e1371f89dfa37526f7a3341122526b719

edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f

dcc938af8fb2964a1f35adfb221de76ffc0bd0ccaac91455b3638fd4dc33e8c0

c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c

a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e

92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2

55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29

0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c

f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b

e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064

e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d

c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6

c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e

bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c

b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1

951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21

9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78

7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595

68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8

47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b

2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d

1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63

173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd

110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a

0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76

01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e

66.42.56.233

64.176.37.107

45.9.191.183

45.77.46.245

45.15.143.151

198.244.237.13

192.142.18.25

191.96.53.132

178.128.221.202

145.14.158.235

141.136.44.219

123.253.35.100

103.56.5.224

49.157.28.114

192.142.18.27

192.142.18.15

107.148.41.114

45.130.229.181

185.201.8.187

91.220.202.143

89.44.197.74

45.90.58.103

185.195.237.121

64.176.50.42

195.123.247.50

195.123.245.79

185.82.217.164

185.195.237.123

185.167.116.30

158.247.241.188

154.39.137.29

147.139.47.141

146.190.93.250

139.180.217.105

139.162.18.97

www.hpupdate.net

https://www.hpupdate.net/us-en/drivers/printers

www.msudapis.info

www.googlespeedtest33.com

https://cloud.keepasses.com

Attack Patterns

PocoProxy

RUDEBIRD

PowHeartBeat

PhantomNet

CCoreDoor

EAGERBEE

NUPAKAGE

Cobalt Strike - S0154

Impersoni-Fake-Ator

Chinese state actors

T1207

T1018

T1012

T1087

T1021

T1574

T1105

T1543

T1055

T1569

T1036

T1033

T1027

T1003

T1059

Additional Informations

Government