China-linked Flax Typhoon APT targets Taiwan

Pierluigi Paganini August 25, 2023

China-linked APT group Flax Typhoon targeted dozens of organizations in Taiwan as part of a suspected espionage campaign.

Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations in Taiwan.

The researchers observed Flax Typhoon gaining and maintaining long-term access to Taiwanese organizations’ networks with minimal use of malware. The group relies on tools built into the operating system, along with some legitimate software. Microsoft has not observed

The group has been active since mid-2021, it focuses on government agencies and education, critical manufacturing, and information technology organizations in Taiwan. 

Flax Typhoon was observed using the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. The group primarily relies on  and hands-on-keyboard activity.

The APT’s attack chain commences by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Upon gaining initial access to the target networks, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then establish a VPN connection to C2 infrastructure, and finally collect credentials from compromised systems. The state sponsored hackers also uses the VPN access to scan for vulnerabilities in targeted organizations.

A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active since mid-2021.

“To deploy the VPN connection, Flax Typhoon  an executable file for  from their network infrastructure. The actor downloads the tool using one of several LOLBins, such as the PowerShell  utility, , or . Flax Typhoon then uses the  to  that launches the VPN connection automatically when the system starts.” continues the report. “This could allow the actor to monitor the availability of the compromised system and establish an RDP connection.”

Threat actors were spotted modifying the Sticky Keys behavior to launch Task Manager and to carry out post-exploitation activities.

Microsoft also provided instructions on how to investigate suspected compromised accounts or affected systems.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, cyberespionage)



you might also like

leave a comment