Chinese threat actor CL-UNK-1068 conducts years-long cyber espionage campaign against aviation, energy, and government sectors in Asia using web server exploits, custom malware, and credential theft tools.
A Chinese threat actor has been conducting a years-long cyber espionage campaign targeting high-value organizations across South, Southeast, and East Asia, according to new research from Palo Alto Networks Unit 42.
The campaign, attributed to a previously undocumented group dubbed CL-UNK-1068 (where "CL" refers to "cluster" and "UNK" stands for unknown motivation), has specifically targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. Unit 42 assesses with "moderate-to-high confidence" that the primary objective is cyber espionage.
Sophisticated Attack Methodology
The attackers employ a multi-faceted toolset that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs) to maintain persistent access within targeted environments. Their operations target both Windows and Linux systems using a mix of open-source utilities and malware families including Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP).
Typical attack chains begin with web server exploitation to deliver web shells, followed by lateral movement to other hosts. The threat actors specifically target files with extensions like "web.config," ".aspx," ".asmx," ".asax," and ".dll" from the "c:\inetpub\wwwroot" directory of Windows web servers, likely attempting to steal credentials or discover vulnerabilities.
Innovative Data Exfiltration Techniques
In a notable tactic, CL-UNK-1068 has been observed using WinRAR to archive relevant files, then Base64-encoding the archives using the certutil -encode command. They subsequently use the type command to print the Base64 content to their screen through the web shell.
"By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files," Unit 42 explained. "The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files."
Credential Theft and Persistence
The campaign heavily focuses on credential theft using tools like Mimikatz to dump passwords from memory, LsaRecorder to hook LsaApLogonUserEx2 and record WinLogon passwords, and DumpItForLinux along with the Volatility Framework to extract password hashes from memory.
Other tools in their arsenal include:
- SQL Server Management Studio Password Export Tool for extracting connection information from "sqlstudio.bin"
- Legitimate Python executables ("python.exe" and "pythonw.exe") for DLL side-loading attacks
- Custom Go-based scanner named ScanPortPlus
- PrintSpoofer for privilege escalation
- Fast Reverse Proxy (FRP) for persistent access
Evolution of Tactics
CL-UNK-1068 has demonstrated tactical evolution over time. The group previously used a custom .NET tool called SuperDump for reconnaissance as far back as 2020. More recent intrusions have transitioned to using batch scripts to collect host information and map the local environment.
The threat actor's versatility is evident in their ability to operate across both Windows and Linux environments, using different versions of their toolset for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, Unit 42 notes that cybercriminal intentions cannot be fully ruled out.
This campaign highlights the persistent threat posed by Chinese APT groups targeting Asian critical infrastructure and the sophisticated techniques employed to maintain long-term access and steal sensitive information.
Comments
Please log in or register to join the discussion