Pulse Detail — Threat Intelligence

PULSE NAME

Operation Crimson Palace: A Technical Deep Dive

WHITE Chinese state actors AlienVault 2024-06-06 Modified: 2024-07-06

127

IOCs

HIGH VOLUME

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1033 T1003 T1543 T1036 T1055 T1021 T1207 T1087 T1059 T1574 T1027 T1012 T1569 T1018 T1105

MALWARE FAMILIES

NUPAKAGE EAGERBEE CCoreDoor PhantomNet PowHeartBeat RUDEBIRD Impersoni-Fake-Ator PocoProxy Cobalt Strike - S0154

Indicators of Compromise (127)

All URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://cloud.keepasses.com	—	2024-06-06
domain	dnsspeedtest2022.com	—	2024-06-06
domain	msudapis.info	—	2024-06-06
domain	networkdevice.sc	—	2024-06-06
hostname	associate.feedfoodconcerning.info	—	2024-06-06
hostname	associate.freeonlinelearningtech.com	—	2024-06-06
hostname	cloud.gti.mc	—	2024-06-06
hostname	cloud.keepasses.com	—	2024-06-06
hostname	message.ooguy.com	—	2024-06-06
hostname	www.googlespeedtest33.com	—	2024-06-06
hostname	www.msudapis.info	—	2024-06-06
FileHash-MD5	8f3862191232959fc941afd4c2943b86	—	2024-06-06
FileHash-MD5	ce74b7b305b8f6e8ef650e348118e902	—	2024-06-06
FileHash-MD5	e09c9841d8d9f77cde35499f083ef752	—	2024-06-06
FileHash-MD5	e397775e130add76d0140c413efd183f	—	2024-06-06
FileHash-SHA1	78e281e3246fa64c58b97fad2dd8420b259f26ec	—	2024-06-06
FileHash-SHA1	b5263b23ee594e06f42dfe95266dbc2d5d394a29	—	2024-06-06
FileHash-SHA1	bf1993403d7e4e0951cea1e337c0dadc2cd68429	—	2024-06-06
FileHash-SHA1	edc93c5d1fa686eea9e264905b2840bfe699e3fd	—	2024-06-06
FileHash-SHA256	01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e	—	2024-06-06
FileHash-SHA256	0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76	—	2024-06-06
FileHash-SHA256	110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a	—	2024-06-06
FileHash-SHA256	173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd	—	2024-06-06
FileHash-SHA256	1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63	—	2024-06-06
FileHash-SHA256	2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d	—	2024-06-06
FileHash-SHA256	47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b	—	2024-06-06
FileHash-SHA256	68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8	—	2024-06-06
FileHash-SHA256	7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595	—	2024-06-06
FileHash-SHA256	9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78	—	2024-06-06
FileHash-SHA256	951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21	—	2024-06-06
FileHash-SHA256	b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1	—	2024-06-06
FileHash-SHA256	bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c	—	2024-06-06
FileHash-SHA256	c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e	—	2024-06-06
FileHash-SHA256	c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6	—	2024-06-06
FileHash-SHA256	e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d	—	2024-06-06
FileHash-SHA256	e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064	—	2024-06-06
FileHash-SHA256	f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b	—	2024-06-06
hostname	associate.freeonlinelearning.com	—	2024-06-06
hostname	scancenter.trendrealtime.com	—	2024-06-06
FileHash-SHA256	0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c	—	2024-06-06
FileHash-SHA256	55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29	—	2024-06-06
FileHash-SHA256	92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2	—	2024-06-06
FileHash-SHA256	a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e	—	2024-06-06
FileHash-SHA256	c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c	—	2024-06-06
FileHash-SHA256	dcc938af8fb2964a1f35adfb221de76ffc0bd0ccaac91455b3638fd4dc33e8c0	—	2024-06-06
FileHash-SHA256	edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f	—	2024-06-06
FileHash-MD5	054a32d6033b1744dca7f49b2e466ea2	—	2024-06-06
FileHash-MD5	3ac3d514f4600611af8cb83e50e3e9a1	—	2024-06-06
FileHash-SHA1	c85c9a09cd1cb1691da0d96772391be6ddba3555	—	2024-06-06
FileHash-SHA1	e3ec286eb20ed6b62b222d21f6419f7d92cc7ef4	—	2024-06-06
FileHash-SHA256	1ad26a31c5387055610e053dbab8355e1371f89dfa37526f7a3341122526b719	—	2024-06-06
FileHash-SHA256	34294ff52899a63f2dc02e5a8f1488343afdb9702437d409a0869317ccfb4243	—	2024-06-06
FileHash-SHA256	3a85c36fff48b223f6edd722bc1603a1fd9b00d3e4d46a88151c4b1b696d90d1	—	2024-06-06
FileHash-SHA256	44e0c61f70f44e3a35ecde9b49a623973727d3aa68922ef4e1ff8dfc74795582	—	2024-06-06
FileHash-SHA256	4fcbc598c5699ea48a1edd8dda065eab210f09ad900ab167cb5abdf9841dd2b7	—	2024-06-06
FileHash-SHA256	5f3fd50715aabf43cc6edb5f38026a3baa37a7fd7a17ae232fc65e186c83befb	—	2024-06-06
FileHash-SHA256	62c9b97a849f40f4b5b167b96a54fa1ef03624ac8f2972b641af8ca5d00b5db0	—	2024-06-06
FileHash-SHA256	755b14ad83da2f2eff8ef8bf83ed74c6d96f6b3b3fde95d4c13d8cb75d861631	—	2024-06-06
FileHash-SHA256	7d6209036d370dbce7a0657f35dedeaa59c15fcfb4d696b9ebdd0fcc773dad50	—	2024-06-06
FileHash-SHA256	91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c	—	2024-06-06
FileHash-SHA256	a1a8adae91daa96deb01326c702fec388d0fa983f299de3f1bdb8a277df64423	—	2024-06-06
FileHash-SHA256	ad346007f28c4b6d409c95f55e750e249db4b168cd7061baa128f826df948e10	—	2024-06-06
FileHash-SHA256	c1d818f18c7160807d9031e024fcc6429476d6455221e3aa988c6245269fbcc8	—	2024-06-06
FileHash-SHA256	ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65	—	2024-06-06
FileHash-SHA256	f788d5c2c1bb2d88db09b727b3841155daf43ba81802b5faffec72640451fa4f	—	2024-06-06
FileHash-MD5	26a3762b49b1c6c04c859dd4305e4f95	—	2024-06-06
FileHash-SHA1	5d36b4531c300363e9f3c4183fae028c309ca157	—	2024-06-06
FileHash-SHA256	4ae29b8124f6221dab934ac04afed2acc8b17c6b35120d568bad8658cbca01c6	—	2024-06-06
FileHash-SHA256	506b21588541243f3ddd5acb759bf20a3bf06fd2fea455066866154bc5e59721	—	2024-06-06
FileHash-SHA256	56f0c8047203147d9b9a888ebac8f33b14ae198182a13913a0f93652dfe2052a	—	2024-06-06
FileHash-SHA256	b708dd11942c3e87a8987bdf83f7ea603425ae75fc25a306f54f1087df4198b4	—	2024-06-06
FileHash-SHA256	c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0	—	2024-06-06
FileHash-SHA256	cca5ae87cd710a8fbf994addb0abc8bf1deb222214d4831289885de23ca98924	—	2024-06-06
FileHash-SHA256	f682323a2c543abbe12c21a77ee93b49444381fa33f76c67363c84764ca4c675	—	2024-06-06
FileHash-SHA256	f830c3771d35237b4a63b946d7a0d187f5aaa4240e965d74070b7d72b6fba210	—	2024-06-06
FileHash-MD5	57b51418a799d2d016be546f399c2e9b	—	2024-06-06
FileHash-MD5	5e83b6ed422399de04408b80f3e5470e	—	2024-06-06
FileHash-MD5	609aa4fe6955ee8fadaabbbcda229376	—	2024-06-06
FileHash-MD5	8a0af14818eb5d6041d6988af1cf586d	—	2024-06-06
FileHash-MD5	aaf1146ec9c633c4c3fbe8091f1596d8	—	2024-06-06
FileHash-SHA1	a5059f5a353d7fa5014c0584c7ec18b808c2a02c	—	2024-06-06
FileHash-SHA1	aeed35a4d6a958a159934a7067b342b1d26630bc	—	2024-06-06
FileHash-SHA1	d8a4b7e911bc8d2611caeea3183acede65a9eeb7	—	2024-06-06
FileHash-SHA1	e1f0f31aff1267564ceab9b27449b8279d050ff9	—	2024-06-06
FileHash-SHA1	eeab6782b7418c03602419fc74b5975a9054a22d	—	2024-06-06
FileHash-SHA256	101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86	—	2024-06-06
FileHash-SHA256	1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9	—	2024-06-06
FileHash-SHA256	2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504	—	2024-06-06
FileHash-SHA256	299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f	—	2024-06-06
FileHash-SHA256	3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53	—	2024-06-06
FileHash-SHA256	430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b	—	2024-06-06
FileHash-SHA256	4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0	—	2024-06-06
FileHash-SHA256	4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae	—	2024-06-06
FileHash-SHA256	5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b	—	2024-06-06
FileHash-SHA256	52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202	—	2024-06-06
FileHash-SHA256	58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d	—	2024-06-06
FileHash-SHA256	5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655	—	2024-06-06
FileHash-SHA256	609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9	—	2024-06-06
FileHash-SHA256	6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b	—	2024-06-06
FileHash-SHA256	71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81	—	2024-06-06
FileHash-SHA256	75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50	—	2024-06-06
FileHash-SHA256	776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f	—	2024-06-06
FileHash-SHA256	8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7	—	2024-06-06
FileHash-SHA256	8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff	—	2024-06-06
FileHash-SHA256	9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88	—	2024-06-06
FileHash-SHA256	a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477	—	2024-06-06
FileHash-SHA256	b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f	—	2024-06-06
FileHash-SHA256	bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d	—	2024-06-06
FileHash-SHA256	c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704	—	2024-06-06
FileHash-SHA256	c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce	—	2024-06-06
FileHash-SHA256	cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272	—	2024-06-06
FileHash-SHA256	d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38	—	2024-06-06
FileHash-SHA256	da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da	—	2024-06-06
FileHash-SHA256	e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7	—	2024-06-06
FileHash-SHA256	e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7	—	2024-06-06
FileHash-SHA256	e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee	—	2024-06-06
FileHash-SHA256	f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957	—	2024-06-06
FileHash-SHA256	fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395	—	2024-06-06
FileHash-SHA256	fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f	—	2024-06-06
URL	https://www.hpupdate.net/us-en/drivers/printers	—	2024-06-06
domain	cancelle.net	—	2024-06-06
domain	dmsz.org	—	2024-06-06
domain	gandeste.net	—	2024-06-06
domain	gsenergyspeedtest.com	—	2024-06-06
domain	hpupdate.net	—	2024-06-06
hostname	test1.zhangliyong.cn	—	2024-06-06
hostname	www.hpupdate.net	—	2024-06-06

References (6)

↗ https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/ ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv