Mark Parsons

Operation Crimson Palace is a months-long intrusion by Chinese state-sponsored adversaries targeting a southeast Asian organization. The campaign includes clusters of activities that align with TTPs used by APT15 (Backdoor Diplomacy), Earth Longzhi (APT41 Subgroup), and one additional unattributed operator. Sophos’ time-of-day analysis of threat actor activity lines up with working hours in China and illustrates the clusters working at different times in an orchestrated manner.

Sophos was able to observe in detail the actions of the adversary over several months and specifically track their actions when they were blocked by software controls. They exhibited precision to limit exposure of their custom tooling and rotated tactics to continue their actions of objectives. Some of these interesting observations include:

• Use of a niche EDR evasion tactic that relies on timing, volume, and a good understanding of Windows internals to bypass kernel hooks.
• Reversion back to credential dumping and abuse of valid credentials when their tools were prevented from running.
• Use of multiple tools to achieve the objectives, indicating a well-funded operation with a deep toolbox
• The threat actor took special care to routinely delete their tools and scripts after use. And would return and redeploy a functionally similar tool with a slight variation each time.

During this presentation, we will provide context on how we conducted our analysis, as well as additional technical insight into the more novel malware used by the attackers, which has been previewed on social media.