Campaigns
Crimson Palace Campaign: Spotlight on Chinese Cyber Covert Actions

Crimson Palace Campaign: Spotlight on Chinese Cyber Covert Actions

CrimsonPalaceStateSponsoredDLLSideloadingSoutheastAsiaChineseCyberOps
A Chinese state-sponsored cyberespionage campaign targeted a Southeast Asian government. The investigation revealed clusters of intrusion activities dating back to early 2022. The threat actors were found using new malware variants for cyber espionage.

Indicators of Compromise

cloud.gti.mc
scancenter.trendrealtime.com
msudapis.info
www.googlespeedtest33.com
gsenergyspeedtest.com
associate.feedfoodconcerning.info
gandeste.net
associate.freeonlinelearning.com
hpupdate.net
networkdevice.sc
www.hpupdate.net
dnsspeedtest2022.com
www.msudapis.info
cloud.keepasses.com
test1.zhangliyong.cn
dmsz.org
cancelle.net
associate.freeonlinelearningtech.com
message.ooguy.com

APT Groups1

Temper PandaChina

<p><b>Summary of Actor</b>:Temper Panda is a sophisticated cyber-espionage group believed to operate out of China. Known for targeting various sectors to steal valuable data, their activities often align with the strategic interests of the Chinese government. They employ advanced techniques to infiltrate and remain persistent within target networks.</p><p><b>General Features</b>:Temper Panda is characterized by its stealthy operations and advanced persistence techniques. They use custom malware and spear-phishing campaigns to gain initial access. The group's operations are highly targeted, often focusing on acquiring sensitive information.</p><p><b>Related Other Groups</b>: APT1,APT41,Winnti Group</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Usage of spear-phishing emails containing malicious attachments or links</li><li>Deployment of custom malware such as PlugX and Poison Ivy</li><li>Frequent communication with command-and-control (C2) servers</li><li>Lateral movement within infected networks using standard tools like PsExec and Mimikatz</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Temper Panda recently launched a campaign targeting the healthcare sector with custom malware designed to exfiltrate patient data. They have also been implicated in attacks on financial institutions aimed at stealing proprietary financial models.</li><li><b>Emerging Trends </b>: The group has shown an increasing interest in exploiting zero-day vulnerabilities, as well as developing new malware strains specifically tailored for cloud infrastructure attacks.</li></ul></p>

Temper Pandaadmin@338Team338Magnesium

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

Remediation Strategies for Operation Crimson Palace

In response to the sophisticated cyber espionage operation designated as Operation Crimson Palace, the implementation of comprehensive remediation measures is essential to fortify cybersecurity defenses.

Enhancing Secure Coding Practices

It is imperative for developers to incorporate hash values in manifest files to mitigate the risk of malicious library side-loading. This can be achieved by revising development guidelines, conducting targeted training sessions, and employing automated security checks to ensure compliance with these secure coding practices.

Regular Software Patching

Establishing a robust patch management process is crucial to maintaining software integrity through regular updates. The deployment of automated tools can facilitate efficient update processes, while prioritizing patches that address DLL side-loading vulnerabilities is vital for enhanced security measures.

File Activity Monitoring

The deployment of file integrity monitoring (FIM) tools is essential for the logging and tracking of new file creations and modifications. Configuring alerts for anomalous activities and conducting regular log reviews will aid in the prompt detection and investigation of suspicious actions.

Module Load Monitoring

It is recommended that tools be utilized to monitor DLL activity, specifically the loading of these files into processes. Setting up alerts for unrecognized DLLs and performing regular reviews of these alerts will assist in identifying potential security threats.

Process Creation Monitoring

Implementing endpoint detection and response (EDR) tools to log process creation events is necessary. Configuring alerts for atypical process behavior and systematically analyzing these logs will enable the detection and effective response to potential security incidents.

By adopting these remediation strategies, organizations can significantly enhance their cybersecurity posture, thereby mitigating the risks associated with advanced threats such as those presented by Operation Crimson Palace.


Observed Countries250

AD (303)
AE (960)
AF (715)
AG (813)
AI (12)
AL (939)
AM (614)
AO (409)
AQ (106)
AR (41)
AS (803)
AT (114)
AU (430)
AW (5)
AX (246)
AZ (455)
BA (368)
BB (939)
BD (489)
BE (232)
BF (252)
BG (768)
BH (715)
BI (211)
BJ (755)
BL (765)
BM (514)
BN (314)
BO (421)
BQ (176)
BR (95)
BS (231)
BT (671)
BV (363)
BW (60)
BY (932)
BZ (325)
CA (569)
CC (535)
CD (803)
CF (531)
CG (856)
CH (730)
CI (722)
CK (837)
CL (991)
CM (19)
CN (430)
CO (904)
CR (66)
CU (862)
CV (140)
CW (644)
CX (292)
CY (272)
CZ (376)
DE (30)
DJ (893)
DK (155)
DM (384)
DO (482)
DZ (447)
EC (305)
EE (13)
EG (523)
EH (398)
ER (935)
ES (849)
ET (527)
FI (729)
FJ (210)
FK (910)
FM (595)
FO (311)
FR (726)
GA (741)
GB (789)
GD (271)
GE (832)
GF (400)
GG (989)
GH (60)
GI (839)
GL (910)
GM (523)
GN (7)
GP (270)
GQ (361)
GR (711)
GS (677)
GT (72)
GU (98)
GW (842)
GY (119)
HK (783)
HM (35)
HN (128)
HR (823)
HT (914)
HU (863)
ID (980)
IE (489)
IL (195)
IM (452)
IN (430)
IO (477)
IQ (238)
IR (509)
IS (556)
IT (661)
JE (101)
JM (831)
JO (734)
JP (894)
KE (109)
KG (412)
KH (4)
KI (957)
KM (71)
KN (70)
KP (466)
KR (624)
KW (534)
KY (767)
KZ (958)
LA (913)
LB (492)
LC (206)
LI (43)
LK (638)
LR (240)
LS (915)
LT (934)
LU (185)
LV (710)
LY (597)
MA (177)
MC (784)
MD (862)
ME (301)
MF (232)
MG (401)
MH (713)
MK (339)
ML (361)
MM (750)
MN (246)
MO (995)
MP (931)
MQ (114)
MR (916)
MS (714)
MT (101)
MU (590)
MV (539)
MW (223)
MX (264)
MY (406)
MZ (71)
NA (186)
NC (415)
NE (990)
NF (259)
NG (199)
NI (562)
NL (826)
NO (746)
NP (915)
NR (191)
NU (649)
NZ (564)
OM (997)
PA (490)
PE (330)
PF (472)
PG (1)
PH (230)
PK (585)
PL (146)
PM (229)
PN (92)
PR (800)
PS (536)
PT (985)
PW (862)
PY (116)
QA (208)
RE (442)
RO (971)
RS (791)
RU (273)
RW (686)
SA (774)
SB (320)
SC (921)
SD (418)
SE (488)
SG (838)
SH (242)
SI (208)
SJ (478)
SK (239)
SL (410)
SM (294)
SN (794)
SO (623)
SR (370)
SS (246)
ST (959)
SV (911)
SX (893)
SY (126)
SZ (516)
TC (494)
TD (542)
TF (119)
TG (786)
TH (835)
TJ (506)
TK (75)
TL (970)
TM (889)
TN (1)
TO (209)
TR (607)
TT (375)
TV (356)
TW (476)
TZ (804)
UA (835)
UG (629)
UM (454)
US (762)
UY (605)
UZ (754)
VA (743)
VC (133)
VE (962)
VG (581)
VI (183)
VN (400)
VU (96)
WF (647)
WS (954)
XK (602)
YE (109)
YT (862)
ZA (679)
ZM (546)
ZW (579)