Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.
ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.
“OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News.
Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it’s the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.
IIS servers have also been targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia.
Central to the operations of OP-512 is a custom web shell framework consisting of three web shells that grant the attackers remote access to the compromised host, while taking steps to evade signature-based detection and complicate forensic timelines using techniques like timestomping to intentionally manipulate the timestamps when the web shell artifacts are created or modified.
Specifically, this entails scanning every file and sub-folder around where the web shells are placed, calculating the median last-modified timestamp, and overwriting their own creation and modification times to match that value, thus giving the impression that they have been present for some time.
“This framework combines capabilities we rarely see together: each deployment is uniquely generated, access is restricted to the attacker through cryptographic controls, and compromised servers automatically report back for centralized management at scale,” ReliaQuest said.
OP-512 shares close tactical proximity to CL-STA-0048, which has raised the possibility that it either represents an existing cluster that has completely revamped its toolset or developed these capabilities independently on its own. Regardless of its origins, the hacking group is said to be a distinct cluster operating in an autonomous manner.
In the attack observed by the cybersecurity company, the threat actor has been found to target a legacy IIS server running Windows Server 2016 with end-of-life .NET Framework 4.0. There is evidence of prior activity on the same host, about 75 days before the main incident took place. This involved DNS queries to a different attacker-controlled domain (“ashx.lhlsjcb[.]com”).
The sequence of actions that unfolded…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
