Source: RyanPictures via Shutterstock

Researchers have uncovered a quiet multiyear campaign by China's Velvet Ant cyber-espionage group to steal critical data from a large company in East Asia.

What makes the campaign noteworthy is the extent to which the threat actor managed to maintain persistence on the victim's network despite repeated eradication attempts.

Researchers from Sygnia who finally booted the threat actor out of the organization's environment attributed at least part of Velvet Ant's persistence to its success at finding and infecting numerous legacy and unmonitored systems on the target network.

"The threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the victim company’s environment," Sygnia said in a report released today. "Even after one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection."

Sygnia discovered the intrusion at a customer location in late 2023. The security vendor's investigation showed the threat actor had likely gained access to the victim environment some three years previously and had remained undetected using multiple persistence and defense evasion mechanisms.

After identifying what they thought were all the attack sources, vectors and tools, Sygnia researchers initiated measures to eradicate Velvet Ant and associated artifacts from the victim's network and systems. But far from being shut out, Velvet Ant quickly resurfaced on the victim network just a few days later, this time via malware the group had previously planted as a Plan B on legacy systems in the target environment.

Sygnia's investigation showed the threat actor had installed the highly modular — and once widely popular — PlugX remote access Trojans on some legacy Windows Server 2003 systems.

From those infected systems, Velvet Ant actors moved laterally to newer Windows systems by first tampering with their endpoint detection and remediation (EDR) protections and then installing PlugX on those, too. Once Velvet Ant gained access to targeted systems, the threat actor leveraged a commonly used open source penetration testing and exploit development tool called "Impacket" to laterally transfer more malware tools and to execute arbitrary commands on the compromised hosts. For remote command execution, the attackers used Impacket’s wmiexec.py, Windows Management Instrumentation (WMI) tool.

Playing Whack-a-Mole

As part of the second-round threat eradication process, Sygnia's team worked with the victim organization to re-image dozens of compromised system and to decommission many (but not all) legacy systems. In all, Sygnia's researchers identified hundreds of indicators of compromise (IoCs).

But once again, as with the first time, just a few days later, Sygnia observed fresh signs of Velvet Ant activity in the form of new PlugX infected hosts on the organization's network. This time around, however, the researchers could find no signs of the PlugX-infected hosts communicating with an external command-and-communication (C2) server, leaving them to wonder how the threat actor might be communicating with the systems. A subsequent investigation showed Velvet Ant had previously configured a legacy file server to work as an internal C2 server for compromised hosts on the network.

"This meant that the threat actor deployed two versions of PlugX within the network. The first version, configured with an external C2 server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information," according to the Sygnia report. "The second version did not have a C2 configuration, and was deployed exclusively on legacy servers."

To access the internal C2 server, the threat actors were using backdoors and other malicious binaries they had previously installed on two unmonitored legacy F5 Big-IP load-balancing systems that were not supposed to be operational on the production network. An internal team had deployed the F5 appliances as part of a disaster recovery project that never was completed, and as a result, they were running outdated and vulnerable OS versions.

"Their operation was objective-oriented," says a researcher spokesperson from Sygnia. "Therefore, they did not spread throughout the victim's entire network but accessed only specific servers and workstations which were required [for] technical reconnaissance" at the application and network level.

Multiple Strongholds for Cyber Espionage

As part of its strategy to achieve this goal, the threat actor created several "strongholds" in different locations on the target organization's network. Some of them were dormant and were utilized only as a fallback in case the activity in another network location was detected. In addition, the threat actively tampered with the installed EDR environment by disabling it and by remotely deleting locally saved logs, the Sygnia researcher says.

Among the several steps that the security vendor recommends organizations take to mitigate exposure to APT and nation-state actors is decommissioning and replacing legacy systems. State-sponsored actors often use infrequently monitored legacy network devices and systems to hide and to persist.

"This is due to lack of auditing and partial support of EDR products or logging implementations," the researcher says. "Threat actors can be very creative. It is important to make sure that every observed abnormal activity can be explained and verified in a reasonable manner."