Crimson Palace returns: New Tools, Tactics, and Targets

    Friday, September 13, 2024 In: Threat Research Print

    Date: 09/13/2024

    Severity: High

    Summary

    Following a brief pause, Sophos X-Ops is back to monitoring what we confidently identify as a Chinese state-directed cyberespionage campaign against a key Southeast Asian government agency. During our investigation of this activity, known as Operation Crimson Palace, Sophos MDR uncovered evidence of further compromises affecting additional regional government organizations. We also detected similar malicious activity from these threat clusters targeting other local organizations, with attackers using compromised networks to deliver malware disguised as trusted access points.

    Indicators of Compromise (IOC) List

    Domains\Urls

    cancelle.net

    zhangliyong.cn

    https://www.hpupdate.net/us-en/drivers/printers

    dmsz.org

    gsenergyspeedtest.com

    gandeste.net

    www.pmshyptest.com

    hpupdate.net

    test1.zhangliyong.cn

    pmshyptest.com

    www.hpupdate.net

    IP Address

    192.142.18.15

    95.179.249.205

    145.14.158.235

    49.157.28.114

    192.142.18.27

    45.9.191.183

    192.142.18.25

    128.199.107.213

    64.176.50.42

    45.15.143.151

    66.42.56.233

    141.136.44.219

    103.56.5.224

    103.19.16.248

    191.96.53.132

    45.77.46.245

    107.148.41.114

    123.253.35.100

    178.128.221.202

    198.13.47.158

    198.244.237.13

    64.176.37.107

    Hash

    2a0e0be49851b489922e8aa35fee34475289453be6c5eb2a693681166f5eb986

5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b

5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655

c2d5d068e4a61ed0eaaca693af354c010f60f89eb119c55af47dbe3741f25635

9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88

101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86

4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae

d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38

ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9

cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272

1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9

3414b510afa61ad74f4ec44b3838fa0fbb860b29b5b7173c8043656b49fbe14e

34c6e8032de4b2df6ed7f8b4cd70080e9b3f04e51ff1dc843a1e5c4802e0c97b

3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53

430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b

4600ddd81ccc18eca2b1bc272250b14217d866dee2a11e168b6122c1adb1ea64

4918373df7ad23598952030446e0c2dadde314c492567a6b1b329d9f1bd64398

4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0

4d31b846e488a7da8a33fb651d3c9b14fbadaa3dd6e356873ea540df2dc61bed

58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d

58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8

5be520962b2f60beebbb7676df1a1e3d3cc14b83aa1cd7b61b8721e605a1f1df

609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9

636761ea5d7732b53ba7b93d9f709148a9fec411e7ddf6f786083666340cf1de

64e14eea061c4fc335b22e9755fd9abdb0ea74799063336e32d7b4cac9c30181

75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50

776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f

7f4e1fad9d38da7e8197ddf0e21ebb9c3990b012b249d4a5b93c4c518bb307cd

8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7

8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff

9fcca5f936bb624915b1849b5ef873d17e2db666155ce96a84708d95a61e9272

a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477

b2796c7478af4eba2680038c60a76ca9949396ca9201bf0927285918f949d51f

b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f

b67d50652be6be9997b4b0fe386964a89ed7df078577929aff0910f774b03996

bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d

c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704

c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce

ce5f46132a6b926efa4f1582fb00312257f119951fee53e7d6c2f0158549aaff

da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da

e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7

e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7

e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee

f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957

f3aad172641ce28c698d6c0fc8faeb2bb6d2eb7988019db6a113796371235ccf

f6e0810b7d342cddc775cd7a64d13f55a50a926a4f99beb93bc47a2b6822483d

fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395

fb2e5baba8c69ddac2abc8b6881aaebd0578ac121363f0c3505294ed8c86f861

fb7a79c28fc8fe91e22a487f25a001ff52871bd06506d174ef9951d976bba325

fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f

ff71eef0f1d7b26e1946cb700e9f41ccb920a5ace45c56ee9f80a9537070f120

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "cancelle.net" or url like "cancelle.net" or userdomainname like "zhangliyong.cn" or url like "zhangliyong.cn" or userdomainname like "https://www.hpupdate.net/us-en/drivers/printers" or url like "https://www.hpupdate.net/us-en/drivers/printers" or userdomainname like "dmsz.org" or url like "dmsz.org" or userdomainname like "gsenergyspeedtest.com" or url like "gsenergyspeedtest.com" or userdomainname like "gandeste.net" or url like "gandeste.net" or userdomainname like "www.pmshyptest.com" or url like "www.pmshyptest.com" or userdomainname like "hpupdate.net" or url like "hpupdate.net" or userdomainname like "test1.zhangliyong.cn" or url like "test1.zhangliyong.cn" or userdomainname like "pmshyptest.com" or url like "pmshyptest.com" or userdomainname like "www.hpupdate.net" or url like "www.hpupdate.net"

    Detection Query 2

    dstipaddress IN ("192.142.18.15","95.179.249.205","145.14.158.235","49.157.28.114","192.142.18.27","45.9.191.183","192.142.18.25","128.199.107.213","64.176.50.42","45.15.143.151","66.42.56.233","141.136.44.219","103.56.5.224","103.19.16.248","191.96.53.132","45.77.46.245","107.148.41.114","123.253.35.100","178.128.221.202","198.13.47.158","198.244.237.13","64.176.37.107") or ipaddress IN ("192.142.18.15","95.179.249.205","145.14.158.235","49.157.28.114","192.142.18.27","45.9.191.183","192.142.18.25","128.199.107.213","64.176.50.42","45.15.143.151","66.42.56.233","141.136.44.219","103.56.5.224","103.19.16.248","191.96.53.132","45.77.46.245","107.148.41.114","123.253.35.100","178.128.221.202","198.13.47.158","198.244.237.13","64.176.37.107") or publicipaddress IN ("192.142.18.15","95.179.249.205","145.14.158.235","49.157.28.114","192.142.18.27","45.9.191.183","192.142.18.25","128.199.107.213","64.176.50.42","45.15.143.151","66.42.56.233","141.136.44.219","103.56.5.224","103.19.16.248","191.96.53.132","45.77.46.245","107.148.41.114","123.253.35.100","178.128.221.202","198.13.47.158","198.244.237.13","64.176.37.107") or srcipaddress IN ("192.142.18.15","95.179.249.205","145.14.158.235","49.157.28.114","192.142.18.27","45.9.191.183","192.142.18.25","128.199.107.213","64.176.50.42","45.15.143.151","66.42.56.233","141.136.44.219","103.56.5.224","103.19.16.248","191.96.53.132","45.77.46.245","107.148.41.114","123.253.35.100","178.128.221.202","198.13.47.158","198.244.237.13","64.176.37.107")

    Detection Query 3

    sha256hash IN ("2a0e0be49851b489922e8aa35fee34475289453be6c5eb2a693681166f5eb986","5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b","5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655","c2d5d068e4a61ed0eaaca693af354c010f60f89eb119c55af47dbe3741f25635","9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88","101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86","4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae","d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38","ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9","cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272","1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9","3414b510afa61ad74f4ec44b3838fa0fbb860b29b5b7173c8043656b49fbe14e","34c6e8032de4b2df6ed7f8b4cd70080e9b3f04e51ff1dc843a1e5c4802e0c97b","3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53","430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b","4600ddd81ccc18eca2b1bc272250b14217d866dee2a11e168b6122c1adb1ea64","4918373df7ad23598952030446e0c2dadde314c492567a6b1b329d9f1bd64398","4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0","4d31b846e488a7da8a33fb651d3c9b14fbadaa3dd6e356873ea540df2dc61bed","58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d","58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8","5be520962b2f60beebbb7676df1a1e3d3cc14b83aa1cd7b61b8721e605a1f1df","609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9","636761ea5d7732b53ba7b93d9f709148a9fec411e7ddf6f786083666340cf1de","64e14eea061c4fc335b22e9755fd9abdb0ea74799063336e32d7b4cac9c30181","75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50","776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f","7f4e1fad9d38da7e8197ddf0e21ebb9c3990b012b249d4a5b93c4c518bb307cd","8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7","8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff","9fcca5f936bb624915b1849b5ef873d17e2db666155ce96a84708d95a61e9272","a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477","b2796c7478af4eba2680038c60a76ca9949396ca9201bf0927285918f949d51f","b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f","b67d50652be6be9997b4b0fe386964a89ed7df078577929aff0910f774b03996","bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d","c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704","c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce","ce5f46132a6b926efa4f1582fb00312257f119951fee53e7d6c2f0158549aaff","da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da","e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7","e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7","e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee","f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957","f3aad172641ce28c698d6c0fc8faeb2bb6d2eb7988019db6a113796371235ccf","f6e0810b7d342cddc775cd7a64d13f55a50a926a4f99beb93bc47a2b6822483d","fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395","fb2e5baba8c69ddac2abc8b6881aaebd0578ac121363f0c3505294ed8c86f861","fb7a79c28fc8fe91e22a487f25a001ff52871bd06506d174ef9951d976bba325","fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f","ff71eef0f1d7b26e1946cb700e9f41ccb920a5ace45c56ee9f80a9537070f120 )

    Reference:

    https://news.sophos.com/en-us/2024/09/10/crimson-palace-new-tools-tactics-targets/ 


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.