DeadRinger Summary
The DeadRinger operation was comprised of three campaigns led by different threat groups linked to China, targeting major Telecommunications Companies in Southeast Asia. The groups consisted of SoftCell, Naikon APT and Group-3390, which are attributed with operating for Chinese state interests. When the campaigns were discovered, researchers were able to link malicious activity dating as far back as 2017 until the present day. This activity consisted of exploits of Microsoft Exchange vulnerabilities (unknown at the time) and various forms of backdoors that helped the actors maintain persistence in the victim’s environments.
TTPs observed in these campaigns were similar to tactics utilized in the Hafnium zero-day attacks, which were attributed to China by the White House in March of 2021. The resemblances with the DeadRinger operation can be found in the techniques used, but the exploitation of Microsoft Exchange vulnerabilities are most interesting. Although all three campaigns (or clusters) are executed by different groups, their tactics, techniques, and victims (sometimes seen on the same endpoints at the same time!) overlap and potentially show a parallel in objectives via high value targets within the Telecommunications industry.
DeadRinger Synopsis
In August 2021, it was discovered there were three malicious campaigns targeting major
Southeast Asian telecommunications companies – since as far back as in 2017. The three threat
groups were known to have Chinese state affiliation (Soft Cell, Naikon, and Group-3390), along
with the same target and similar techniques. These techniques allowed them to achieve and
maintain persistence on infected machines and environments. The observed operations utilized
methods such as (but not limited to): exploitation of Microsoft Exchange Server vulnerabilities,
China Chopper web shell, Cobalt Strike beacons, a modified Mimikatz tool and various
backdoors utilized for data exfiltration. CyberReason’s report divided the campaigns into
clusters, each designated and identified by threat actor.
Cluster A
Cluster A was affiliated with Soft Cell, a cyber espionage group who have been observed in
operation since 2010. They abused Microsoft Exchange vulnerabilities in order to gain access
throughout, and installed China Chopper WebShell to perform commands. During this cluster:
the actor was seen utilizing the “$RECYCLE.BIN” folder for obfuscation, then utilized Windows
Native tools for Reconnaissance purposes (whoami, ping, etc). Batch scripts were also observed
to be used for environment reconnaissance and preparation for exfiltration. For lateral
movement, Soft Cell used WMI and Net Use to establish network connections used to traverse
the environment. Note: actors hid contents of stolen data within a “.RAR” file stashed in the
“C:\users\SUPPORT_388945a0\Documents” path – which was then exfiltrated via China
Chopper web shell. The actors also utilized PcShare as a backdoor, side-loading the loader
legitimate “nvSmarEx.exe” executable – as well as SoftEther VPN for persistence and access
purposes. Changes in TTPs were also observed throughout each phase, such as introducing new
tools for Reconnaissance (like Local group or NBTScan).
Cluster B
Cluster B was affiliated with Naikon, observed to be in operation since 2020. The Naikon APT
group was “previously attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu
Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator
78020).” Their initial vector of compromising is not known, however their TTPs were different
than those observed in Cluster A. For example the usage of the Nebulae backdoor (executed via
DLL side-loading trusted apps, like chrome_frame_helper.exe), which enabled a wealth of
accessibility for the attacker – such as Reconnaissance, File/Process manipulation, Command
execution, Privilege Escalation, and C2 communications. When stealing credentials, Naikon used
ProcDump and a modified Mimikatz tool for extraction, as well as “EnrollLogger” keylogger.
Cluster C
Cluster C was affiliated with Group-3390 (or Emissary Panda), observed activity from 2017 to 2021. Similar to Cluster A, Group-3390 utilized Microsoft Exchange server vulnerabilities
(unknown at the time) in order to gain initial access. They are unique with the deployment of a
“Outlook Web Access backdoor” (Microsoft.Exchange.Clients.Event.dll) that was seen across
Exchange and IIS servers. It would intercept any requests that contained “owa/auth.owa” and
logs the data. This data could include IP Addresses and Credentials. It is then hidden with an
XOR cipher and exfiltrated/deleted when the attacker connects with a unique session ID. This
method has been recently exploited during the HAFNIUM attacks in March 2021.
