CL-UNK-1068 Threat Actor & Its Operations Across High-Value Sectors

The CL-UNK-1068 campaign is a long-running cyber intrusion activity cluster identified by Palo Alto Networks Unit 42 targeting high-value organizations across South, Southeast, and East Asia since at least 2020. Researchers assess with high confidence that the threat actor is linked to Chinese-speaking operators, based on linguistic artifacts in malware, the origin of tools used, and consistent targeting patterns. The attackers rely heavily on web shells, open-source utilities, custom malware, and living-off-the-land binaries (LOLBins) to infiltrate networks, maintain persistence, steal credentials, & exfiltrate sensitive data while avoiding detection.

Severity: High

Targeting Profile

• Geographic Focus: South, Southeast, and East Asia.
• Critical Sectors: Aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications.
• Primary Objective: Cyberespionage, though cybercriminal motivation cannot be entirely ruled out.

Attack Details

1. Initial Access & Persistence

• Web Shells: Deploys GodZilla and AntSword variants (written in English and Simplified Chinese) to gain foot-holds and move laterally to SQL servers.
• DLL Side-Loading: Uses legitimate Python executables (python.exe or pythonw.exe) to side-load malicious loaders (e.g., python20.dll) that execute shellcode in memory.
• Persistence: Employs Fast Reverse Proxy (FRP) to bypass firewalls. Unique identifiers include the authentication token frpforzhangwei and a common password f*ckroot123.

2. Reconnaissance & Lateral Movement

• Custom Tooling: Historically used SuperDump (a .NET tool) for host information gathering; more recently transitioned to batch scripts (hp.bat, hpp.bat) for the same purpose.
• Network Scanning: Uses ScanPortPlus, a custom Go-based multi-platform scanner for IP, port, and vulnerability scanning.

3. Credential Theft & Data Exfiltration

• Credential Tools: Utilizes Mimikatz, LsaRecorder (to hook logon functions), and DumpIt/Volatility for memory forensics and password hash extraction.
• Application-Specific Theft: Uses the SQL Server Management Studio Password Export Tool to extract saved credentials from sqlstudio.bin.
• Stealthy Exfiltration: Instead of direct transfers, the group archives files with WinRAR, Base64-encodes them via certutil, and prints the content to the screen using the type command to be copied from the web shell.

4. Linux Capabilities

• Backdoor: Deploys Xnote, a Linux backdoor with capabilities for DDoS attacks (SYN, UDP, NTP floods), reverse shells, and file system interaction.

Recommendations

1. Regularly patch web servers and application frameworks. Disable unnecessary services and ports on web servers.
2. Monitor for unusual processes spawned from w3wp.exe, nginx, or apache.
3. Watch for specific batch script naming conventions such as hp.bat, hpp.bat, or a.bat. These scripts often output host telemetry to .txt files which are then archived using rar.exe.
4. Regularly audit web server directories (e.g., c:\inetpub\wwwroot) for unauthorized .aspx, .asmx, or .config files.
5. Disable or monitor the use of certutil.exe for non-administrative tasks, as the group uses it to Base64-encode and exfiltrate stolen archives.
6. Implement application control policies to restrict the execution of unauthorized or legacy binaries in sensitive directories like C:\temp\ or C:\Users\Public.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/d4c24e5ca7c09ef27b5ef470fa689952391eb064da95f91f520f08bb23c4f91a/iocs

Source:

• https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.