Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure
Source: The Hacker News
Threat Actor Overview
High‑value organizations in South, Southeast, and East Asia have been targeted by a Chinese threat actor in a years‑long campaign.
The activity spans aviation, energy, government, law‑enforcement, pharmaceutical, technology, and telecommunications sectors. Palo Alto Networks Unit 42 attributes the campaign to a previously undocumented group CL‑UNK‑1068 (where “CL” = cluster and “UNK” = unknown motivation), assessing with moderate‑to‑high confidence that its primary objective is cyber espionage.
“Our analysis reveals a multi‑faceted tool set that includes custom malware, modified open‑source utilities, and living‑off‑the‑land binaries (LOLBINs). These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments.” – Security researcher Tom Fakterman【source】(https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/)
Tools and Malware
The adversary targets both Windows and Linux environments, leveraging a mix of open‑source utilities and malware families:
- Godzilla – web shell
- ANTSWORD – web shell
- Xnote – Linux backdoor (detected since 2015, used by the Earth Berberoka / GamblingPuppet collective)
- Fast Reverse Proxy (FRP) – persistence tool
Linux Backdoor
Xnote has been observed in attacks against online‑gambling sites, providing the attackers with long‑term access to compromised Linux servers.
Typical Attack Chain
- Web server exploitation – deliver a web shell.
- Lateral movement – pivot to additional hosts.
- File theft – exfiltrate files with specific extensions (
web.config,.aspx,.asmx,.asax,.dll) fromc:\inetpub\wwwrootto obtain credentials or discover further vulnerabilities.
Additional harvested data
- Web‑browser history and bookmarks.
- XLSX and CSV files from desktops and
USERdirectories. - Database backup (
.bak) files from MS‑SQL servers.
Data Exfiltration Technique
The group archives collected files with WinRAR, then encodes the archives using Base64 via certutil -encode. The encoded output is displayed with the type command, allowing the attackers to read the data through the web shell without uploading files.
“By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files. The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files.” – Unit 42
Credential Theft Tools
- Mimikatz – dumps passwords from memory.
- LsaRecorder – hooks
LsaApLogonUserEx2(https://github.com/Nested101/RedKitsCyber-Security-Reseraching-and-RedTeam-Kits-Code/tree/master/passwd/LsaRecorder). - PrintSpoofer – abuses Windows print spooler (https://github.com/itm4n/PrintSpoofer).
- ScanPortPlus – custom Go‑based scanner.
- FRP – used for persistent access.
The adversary also employs legitimate Python executables (python.exe, pythonw.exe) to launch DLL side‑loading attacks, enabling stealthy execution of malicious DLLs.
Additional Observations
- SuperDump, a custom .NET reconnaissance tool, has been used since 2020.
- Recent intrusions rely on batch scripts to collect host information and map the local environment.
References & Tools
- LSA_AP_LOGON_USER_EX2 – records the WinLogon password.
- DumpItForLinux and Volatility Framework – extract password hashes from memory.
- SQL Server Management Studio Password Export Tool – extracts
sqlstudio.bincontents storing SSMS connection information.
“Using primarily open‑source tools, community‑shared malware and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations,” Unit 42 concluded.
“This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cyber‑criminal intentions.”
Stay Informed
Follow us for more exclusive content:
- Google News