Three China-linked threat clusters have been seen compromising more government organizations in Southeast Asia in a renewed state-sponsored code-named operation Raspberry Palacewhich indicates the expansion of espionage activities.
Cybersecurity firm Sophos, which is tracking the cyberattack, said it consisted of three sets of intrusions, tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870) and Cluster Charlie (STAC1305). STAC is an acronym for “security threat cluster”.
“Attackers consistently used other compromised organizational and public networks in this region to deliver malware and tools under the guise of a trusted access point,” security researchers Mark Parsons, Morgan Demboski and Sean Gallagher said in a technical report shared with The Hacker News.
A notable aspect of the attacks is that they involve the use of an unnamed organization’s systems as a command and control (C2) relay point and staging area for tools. A second organization’s compromised Microsoft Exchange Server is said to have been used to host the malware.
Raspberry Palace bldg first documented by a cybersecurity company in early June 2024, and the attacks took place between March 2023 and April 2024.
While the initial activity associated with the Bravo cluster, which overlaps with a threat group called Unfading sea mistwas limited to March 2023, a new wave of attacks discovered between January and June 2024 targeted 11 other organizations and agencies in the same region.
A set of new attacks orchestrated by the Charlie cluster, a cluster called Land of Lunchhas also been revealed between September 2023 and June 2024, some of which also involve the deployment of C2 frameworks such as Cobalt Strike, Chaosand XieBroC2 to facilitate post-commissioning and deliver additional payloads, e.g Sharp to reflect the Active Directory infrastructure.
“Exfiltration of data of intelligence value continued to be a goal after operations resumed,” the researchers said. “However, much of their effort appears to have focused on restoring and expanding their position on the target network by bypassing the EDR software and quickly regaining access when their C2 implants were blocked.”
Another important aspect is Cluster Charlie’s heavy reliance on DLL hijacking to run the malware, an approach previously taken by the threat actors behind Cluster Alpha, which suggests a “cross-pollination” of tactics.
Some of the other open source programs used by the threat actor include RealBlindingEDR and Alcatrazwhich allow you to kill antivirus processes and obfuscate portable executable files (such as .exe, .dll and .sys) to fly under the radar.
Rounding out the cluster’s malware arsenal is a previously unknown keylogger codenamed TattleTale, which was initially identified in August 2023 and is capable of collecting data from Google Chrome and Microsoft Edge browsers.
“The malware can hijack a compromised system and check for mounted physical and network drives while pretending to be a logged-on user,” the researchers explained.
“TattleTale also collects domain controller name and steals LSA (Local Security Authority) request policy information, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords.”
In a nutshell, the three clusters work hand-in-hand while focusing on specific tasks in the attack chain: infiltrating the target environment and conducting reconnaissance (Alpha), deep network penetration using various C2 mechanisms (Bravo), and extracting valuable data. (Charlie).
“Throughout the engagement, the enemy appeared to be constantly testing and refining their methods, tools, and practices,” the researchers concluded. “When we deployed countermeasures against their custom malware, they combined the use of their custom-built tools with common open-source tools often used by legitimate penetration testers, testing various combinations.”
