Saturday, December 14, 2024
HomeCyber Security NewsCrimson Palace Returns With New Hacking Tolls And Tactics

Crimson Palace Returns With New Hacking Tolls And Tactics

Published on

SIEM as a Service

Cluster Bravo, despite its brief initial activity, subsequently targeted 11 organizations in the same region, as researchers found that these attackers used compromised environments within the same vertical for malware staging. 

Cluster Charlie, after being disrupted, returned with new techniques, including using the HUI loader to inject Cobalt Strike beacons into mstsc.exe. 

They employed open-source tools and leveraged techniques from other threat clusters to re-establish their presence and bypass EDR software by shifting their primary focus to re-establishing and extending their foothold on the target network.

- Advertisement - SIEM as a Service
Stage 2 Timeline

Threat actors switched tactics after Sophos blocked their C2 tools by leveraging stolen credentials to deploy web shells for reconnaissance and DLL sideloading.

Open-source tools like Havoc and SharpHound were used for further intel gathering on Active Directory and network layout. 

Attackers also adopted tactics from other threat clusters, like using Impacket atexec on unmanaged devices for remote execution and lateral movement, highlighting a potential overarching organization behind these activities.  

A map of the flow of attack chains used by the threat actor during the second phase of the intrusion

The APT actor leveraged stolen credentials and a web shell to inject a malicious DLL into a legitimate Windows process and then performed reconnaissance tasks by querying Windows Defender exclusion paths, Sophos security policies, and Active Directory infrastructure using SharpHound. 

The actor also used the compromised credentials to move laterally and establish persistence on a hypervisor by creating a scheduled task to execute another malicious DLL.  

In December 2023, Cluster Charlie attackers compromised administrator credentials and user data and conducted reconnaissance. In 2024, they rapidly cycled through C2 channels and deployment methods likely to evade detection. 

The continued threat activity in 2024  

Their tactics included deploying modified versions of legitimate tools like RealBlindingEDR (asoc.exe, ssoc.exe) to disable endpoint protection via a vulnerability (CVE-2023-38817) in an anti-cheat tool (Echo.ac) and tamper with kernel routines. 

In February and March 2024, a threat actor was observed rapidly changing tactics and tools to evade detection by switching C2 implants (Havoc, Cobalt Strike) and frameworks (Havoc, XieBroC2) while using Donut shellcode loaders to inject malicious payloads. 

 A screenshot of the TattleTale malware command line

They also abused legitimate executables (jcef_helper.exe, jconsole.exe) to sideload malicious DLLs (libcef.dll, jli.dll) for further obfuscation and persistence. 

The DLLs sometimes checked for debuggers and security tools before injecting payloads and connecting to C2 servers in Cyprus, the United States, Japan, and Singapore.

In April, attackers abused legitimate apps (identity_helper.exe) to sideload malicious DLLs (Havoc implants) and a custom keylogger (TattleTale, steals LSA info, browser data) and also deployed another keylogger (r1.exe) to disable EDR and access Chrome data, while in June, they used Impacket to install a Cloudflared tunnel after disabling endpoint protection.  

The threat actors behind this ongoing cyberespionage campaign continue to target Sophos customers in the same region by constantly evolving their tactics and tools, using a mix of custom and open-source tools to bypass security measures. 

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...