a state-sponsored threat actor, identified as Velvet Ant, with suspected ties to China.

Continue reading
In late 2023, a significant cyber attack targeted a large organization, unveiling the sophisticated tactics and methods of a state-sponsored threat actor, identified as Velvet Ant, with suspected ties to China. The forensic investigation led by Sygnia uncovered a three-year-long infiltration, showcasing advanced persistence mechanisms, operational security, and strategic adaptability.
Velvet Ant demonstrated exceptional operational capabilities, maintaining a prolonged presence within the victim’s network. Utilizing a legacy F5 BIG-IP appliance as a Command and Control (C&C) server, the threat actor established multiple footholds. Even when one foothold was discovered and remediated, Velvet Ant quickly pivoted to another, exemplifying a high degree of agility and a deep understanding of the target’s environment.
A critical aspect of Velvet Ant’s strategy involved leveraging outdated systems such as Windows Server 2003, which lacked comprehensive logging and modern Endpoint Detection and Response (EDR) solutions. By deploying the PlugX malware, a well-known remote access Trojan with a modular plugin system, the threat actor ensured continued access and control over critical systems. The malware's deployment involved sophisticated techniques like DLL search order hijacking and DLL side loading, which enabled the concealment of malicious activities within legitimate processes.
The compromised F5 BIG-IP appliances played a pivotal role in Velvet Ant's strategy. These devices, typically trusted components of network infrastructure, provided a clandestine channel for maintaining persistence and facilitating lateral movement. The appliances were running outdated software, exploited through unpatched vulnerabilities, allowing Velvet Ant to establish reverse SSH tunnels to their C&C servers.
Sygnia’s investigation employed advanced forensic techniques, including memory dumps of infected processes and network traffic analysis, to trace the activities and persistence mechanisms used by Velvet Ant. Notably, memory dumps revealed credential harvesting and network scanning commands, highlighting the threat actor’s focus on reconnaissance and exploitation of network weaknesses.
Velvet Ant utilized Impacket’s wmiexec.py for lateral movement, transferring tools and executing remote commands. Their operational security was evident when attempts to tamper with EDR products on newer systems were unsuccessful, leading them to avoid deploying PlugX on those endpoints. This high level of operational discipline underscores the threat actor's proficiency and caution in maintaining covert operations.
The investigation uncovered two versions of PlugX used by Velvet Ant: one with an external C&C server for direct internet-connected systems, and another with an internal C&C server for legacy systems. This dual approach allowed the threat actor to blend malicious traffic with legitimate network traffic, evading detection and maintaining control over compromised systems.
To mitigate the risks posed by sophisticated state-sponsored actors like Velvet Ant, organizations must adopt comprehensive defense strategies:
The Velvet Ant cyber attack underscores the critical importance of proactive and layered cybersecurity defenses. By leveraging a combination of outdated systems, sophisticated malware, and trusted network devices, Velvet Ant exemplified the persistent and adaptive nature of state-sponsored cyber threats. Organizations must remain vigilant, continuously enhancing their security postures to detect, deter, and respond to such advanced threats effectively.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again