A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes.
Cybersecurity company Sygnia, which responded to the intrusion in late 2023, is tracking the activity under the name Velvet Ant, characterizing it as possessing robust capabilities to swiftly pivot and adapt their tactics to counter-remediation efforts.
“Velvet Ant is a sophisticated and innovative threat actor,” the Israeli company said in a technical report shared with The Hacker News. “They collected sensitive information over a long period of time, focusing on customer and financial information.”
The attack chains involve the use of a known backdoor called PlugX (aka Korplug), a modular remote access trojan (RAT) that has been widely put to use by espionage operators with ties to Chinese interests. PlugX is known to rely heavily on a technique called DLL side-loading to infiltrate devices.
Sygnia said it also identified attempts on the part of the threat actor to disable endpoint security software prior to installing PlugX, with open-source tools like Impacket used for lateral movement.
Also identified as part of the incident response and remediation efforts was a reworked variant of PlugX that used an internal file server for C&C, thereby allowing the malicious traffic to blend in with legitimate network activity.
“This meant that the threat actor deployed two versions of PlugX within the network,” the company noted. “The first version, configured with an external C&C server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information. The second version did not have a C&C configuration, and was deployed exclusively on legacy servers.”
In particular, the second variant was found to have abused out-of-date F5 BIG-IP devices as a covert channel to communicate with the external C&C server by issuing commands over a reverse SSH tunnel, once again highlighting how compromising edge appliances can allow threat actors to gain persistence for extended periods of time.
“There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, meaning a piece of software that is accessible from the internet,” WithSecure said in a recent analysis.
“Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network.”
Subsequent forensic analysis of the hacked F5 devices has also uncovered the presence of a tool named PMCD that polls the threat actor’s C&C server every 60 minutes to look for commands to execute, as well as additional programs for capturing network packets and SOCKS tunneling utility dubbed EarthWorm that has used by actors like Gelsemium and Lucky Mouse.
The exact initial access vector – whether it’s spear-phishing or exploitation of known security flaws in internet-exposed systems – used to breach the target environment is currently not known.
The development follows the emergence of new China-linked clusters tracked as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace which have been observed targeting Asia with the goal of gathering sensitive information.
