Suspected Chinese Group Exploiting Microsoft Exchange Servers

Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers

March 25, 2021 • Insikt Group®

China

Insikt Group

Beginning on March 1, 2021, Recorded Future’s Insikt Group identified a large increase in victim communications to PlugX command and control (C2) infrastructure publicly attributed to the suspected Chinese state-sponsored group Calypso APT. We believe that this activity is highly likely linked to the exploitation of recently disclosed Microsoft Exchange vulnerabilities (also known as ProxyLogon — CVE-2021-26855, CVE-2021-27065). Our observations align with recent reporting by ESET in which the group was identified targeting vulnerable Exchange servers to deploy a web shell and ultimately load the PlugX malware post-exploitation. 

Targeted organizations were geographically widespread and covered multiple industries, supporting wider industry commentary that the targeting is likely opportunistic. Victims of identified post-exploitation activity included local and national governments, as well as software, defense, finance, IT, legal, and manufacturing organizations in Australia, the Czech Republic, Germany, India, Italy, Kazakhstan, Macedonia, Nepal, Switzerland, Ukraine, and the United States. We identified several high-value targets likely impacted, including a US electronic parts distributor serving defense and aerospace sectors, an Indian heavy engineering company with a presence in strategic defense sectors, local governments in the US and Australia, and a North Macedonian national government department. 

The activity identified by Insikt Group began on March 1, 2021, prior to the disclosure of the vulnerabilities. This indicates the group likely had access to the exploit as a zero day prior to Microsoft’s disclosure, corroborating a similar assessment made by ESET.

Infrastructure and Malware Analysis

Insikt Group has been tracking a cluster of PlugX C2 servers and related infrastructure that overlaps with public reporting on Calypso APT by PTSecurity and ESET. We first reported on activity linked to this infrastructure cluster in August 2020 to our customers, following the identification of suspected intrusion activity targeting an Afghan telecommunications provider and government body. The identified cluster is outlined in Table 1 below:

Current Hosting IP Domain Registrar Registered
91.220.203[.]197 () 

[PlugX C2]

www.membrig[.]com NAMECHEAP INC 2018-12-13
103.30.17[.]44 () www.draconess[.]com NAMECHEAP INC 2018-02-05
91.220.203[.]86 () 

[PlugX C2]

www.rosyfund[.]com GuangDong NaiSiNiKe Information Technology Co Ltd. 2018-12-13
45.144.242[.]216 () 

[PlugX C2]

www.sultris[.]com NAMECHEAP INC 2018-02-02
91.220.203[.]86 () 

[PlugX C2]

www.yolkish[.]com NAMECHEAP INC 2018-01-29
45.76.84[.]36 

()

mail.prowesoo[.]com NAMECHEAP INC 2018-02-02
45.76.84[.]36 

()

www.waxgon[.]com NAMECHEAP INC 2018-01-31
107.248.220[.]246

()

www.rawfuns[.]com1 NICENIC INTERNATIONAL GROUP CO., LIMITED 2018-02-05
45.76.84[.]36 

()

mail.aztecoo[.]com NICENIC INTERNATIONAL GROUP CO., LIMITED 2018-02-05

Table 1: Suspected Calypso APT infrastructure cluster

Examining the PlugX cluster allowed us to make the following high-level observations regarding Calypso APT’s infrastructure tactics, techniques, and procedures (TTPs):

  • The majority of domains used the “www.” subdomain for C2 with no DNS record for the root domain
  • Most of the domains were registered using registrar NameCheap
  • C2 domains kept operational for more than 2 years
  • Operational infrastructure has been hosted on:
    • M247 Ltd
    • Global Network Transit Limited
    • PEG TECH INC
    • Web Werks India Pvt. Ltd
    • Choopa LLC

Insikt Group identified the following malware samples linked to the identified infrastructure, 2 of which were listed within ESET’s reporting. At this time, we have not undertaken extensive analysis on these samples:

File Name SHA256 Hash Malware Variant C2 IP/Domain
FORTITRAY.EXE 913fa95829ba3f77c0673f0af5c6afaeb6e6a2bdd0e98c186df65f1d27b9dc1f Unknown www.yolkish[.]com
msf.exe f32866258b67f041dc7858a59ea8afcd1297579ef50d4ebcec8775c816eb2da9 Meterpreter 45.144.242[.]216 
SRVCON.OCX 5d803a47d6bb7f68d4e735262bb7253def6aaab03122b05fec468865a1babe32 PlugX Loader yolkish[.]com and rawfuns[.]com
rapi.dll ab678bbd30328e20faed53ead07c2f29646eb8042402305264388543319e949c Whitebird Loader yolkish[.]com and rawfuns[.]com

 

Calypso’s Targeting of Microsoft Exchange Servers and Victimology

Timeline

Figure 1: Timeline of PlugX C2 91.220.203[.]86 (Source: Recorded Future)

Recorded Future first identified the IP 91.220.203[.]86 as a suspected PlugX C2 on November 14, 2020. Using Recorded Future Network Traffic Analysis (NTA), we detected a large increase in activity linked to this C2 server from victim IP addresses hosting Microsoft Exchange services from March 1, 2021 onwards. We believe that this increase in activity is very likely linked to the widespread exploitation of recently publicized vulnerabilities impacting Microsoft Exchange, which were first disclosed on March 2, 2021.

On March 10, 2021, ESET reported on a range of threat activity groups, largely Chinese state sponsored, exploiting a pre-authentication remote code execution (RCE) vulnerability chain that allows an attacker initial access to internet-facing Microsoft Exchange servers: 

  • CVE-2021-26855 [ProxyLogon]
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

First reported by Microsoft on March 2, exploitation of these vulnerabilities was initially linked to a China-based activity group tracked as HAFNIUM by Microsoft Threat Intelligence Center (MSTIC). ESET’s findings indicate that the vulnerabilities began to be exploited by additional Chinese activity groups, including Tick, LuckyMouse, and Calypso APT, in late February and early March. This activity occurred prior to the public disclosure of these vulnerabilities and suggests that these additional Chinese activity groups also had access to the exploit as a zero day. While initially exploited by HAFNIUM in “limited and targeted attacks”, from at least February 27 onwards, the vulnerabilities were subject to mass exploitation by an increasing number of groups (1,2,3). 

This aforementioned PlugX C2 IP 91.220.203[.]86 currently hosts the domain www[.]yolkish[.]com, referenced within the aforementioned ESET reporting on the exploitation of Microsoft Exchange vulnerabilities. In this activity, the group was identified dropping web shells in the following locations following exploitation:

C:\inetpub\wwwroot\aspnet_client\client.aspx

C:\inetpub\wwwroot\aspnet_client\discover.aspx

Mitigations

Using this web shell access, Calypso APT was then identified loading the aforementioned PlugX and Whitebird malware samples through DLL search-order hijacking using legitimate executables. Insikt Group identified over 30 likely victim organizations communicating with the 91.220.203[.]86 PlugX C2 across a range of geographies and industry verticals, including local and national government, software, defense, finance, IT, legal, and manufacturing organizations in Australia, Czech Republic, Germany, India, Italy, Kazakhstan, Macedonia, Nepal, Switzerland, Ukraine, and the United States. Several of these organizations were not typical targets of cyber espionage activity, supporting wider industry commentary that much of the targeting is likely opportunistic.

We recommend the following measures to detect and mitigate activity associated with the identified Calypso APT activity: 

  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.
  • Recorded Future proactively detects and logs malicious server configurations in the Command and Control Security Control Feed. The Command and Control list includes tools used by Calypso and Chinese state-sponsored threat activity groups, such as PlugX. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions.
  • If you are running on-premises Microsoft Exchange, ensure the latest updates are installed and that the patch is validated. 
  • Following deployment of updates, follow industry guidance on hunting for web shells installed on Exchange servers post-exploitation (1, 2).

Indicators of Compromise

Readers can access the indicators listed below in our public Insikt Group Github repository: https://github.com/Insikt-Group/Research.

New call-to-action

Related Posts

Iran-Linked Threat Actor The MABNA Institute’s Operations in 2020

Iran-Linked Threat Actor The MABNA Institute’s Operations in 2020

April 21, 2021 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

Lockdown Saw Rise in Wine Domains and Wine Scammers

Lockdown Saw Rise in Wine Domains and Wine Scammers

April 7, 2021 • Insikt Group®

  This report was produced jointly with researchers from Area 1 Security Area 1...

Cybercriminals Continue to Exploit Human Nature Through Phishing and Spam Attacks

Cybercriminals Continue to Exploit Human Nature Through Phishing and Spam Attacks

April 6, 2021 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...