Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations in Taiwan.
The researchers observed Flax Typhoon gaining and maintaining long-term access to Taiwanese organizations’ networks with minimal use of malware. The group relies on tools built into the operating system, along with some legitimate software. Microsoft has not observed
The group has been active since mid-2021, it focuses on government agencies and education, critical manufacturing, and information technology organizations in Taiwan.
Flax Typhoon was observed using the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. The group primarily relies on and hands-on-keyboard activity.
The APT’s attack chain commences by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Upon gaining initial access to the target networks, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then establish a VPN connection to C2 infrastructure, and finally collect credentials from compromised systems. The state sponsored hackers also uses the VPN access to scan for vulnerabilities in targeted organizations.
A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active since mid-2021.
“To deploy the VPN connection, Flax Typhoon an executable file for from their network infrastructure. The actor downloads the tool using one of several LOLBins, such as the PowerShell utility, , or . Flax Typhoon then uses the to that launches the VPN connection automatically when the system starts.” continues the report. “This could allow the actor to monitor the availability of the compromised system and establish an RDP connection.”
Threat actors were spotted modifying the Sticky Keys behavior to launch Task Manager and to carry out post-exploitation activities.
Microsoft also provided instructions on how to investigate suspected compromised accounts or affected systems.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, cyberespionage)