The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant.
Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted.
To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had been configured to disable security software, showing a high level of operational security (OPSEC) awareness.
Furthermore, Velvet Ant made use of the open-source software Impacket for remote code execution and lateral tool transfer on compromised machines, as well as the creation of firewall rules to allow the command-and-control server (C&C) to be accessed. When Sygnia identified the threat actor as having been eliminated from the victim's network, it was observed that it was infecting new machines with PlugX samples that were reconfigured to use the internal server as a command and control server and channelling external communication to the malware through the internal server.
Researchers said attackers can gain considerable control over network traffic if they manage to compromise a device of this kind without raising suspicions.
The researchers said Velvet Ant used a variety of traditional Chinese state-sponsored threat actors' tools and techniques that they were typically associated with. There were several characteristics of the attacks, for example, a clear understanding of what they were about, a focus on network devices, exploiting vulnerabilities, and a toolkit that included Rootkits, Plugs, and the ShadowPad family of malware.
They also included the use of side-loading methods employing DLLs. It has been suggested by researchers that Velvet Ant can sneak into sensitive data as a result of its cleverness and slippery nature. The threat actor quickly pivoted from one foothold to another after it was discovered and remedied, demonstrating agility and adaptability in evading detection as soon as the existing foothold was eliminated. A detailed understanding of the victim's network infrastructure was also demonstrated by the threat actor, as he exploited various entry points across the victim's network infrastructure, demonstrating that he possessed a comprehensive knowledge of the target."
Sygnia uncovered a modified version of PlugX during their investigation in which malicious traffic was blended with legitimate network activity to avoid detection. In addition to this variant, another variant with an external command-and-control server for exfiltration was also deployed alongside this version, which targeted only endpoints with direct internet access in addition to other endpoints with network access. Concerning the second variant, it exploited a vulnerability in outdated F5 BIG-IP devices and used a reverse SSH tunnel to maintain communication with an external server, which lacked direct web connectivity, by exploiting vulnerabilities in obsolete F5 BIG-IP devices.
F5 devices, which had been compromised, were examined forensically and revealed to contain a variety of tools, such as PMCD, which communicated periodically with the threat actor's command-and-control server through PMCD, network packet capture tools, and a SOCKS tunnelling tool called EarthWorm, which has been associated with espionage groups such as Gelsemium and Lucky Mouse in the past. It is still unclear how the attacker was able to gain access to the restricted system, whether through spear-phishing or using security vulnerabilities in internet-exposed devices.
Following the growth of several China-linked espionage operations, such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all of which focused on sensitive intelligence across Asia, this incident comes as no surprise. The compromised F5 BIG-IP appliances used by the victim organization for firewall, web application firewall (WAF), load balancing, and local traffic management services were directly exposed to the internet and likely hacked through the exploitation of known vulnerabilities. On one of the compromised F5 appliances, the threat actor deployed several tools, including VelvetSting (for receiving commands from the command-and-control server), VelvetTap (to capture network packets), Samrid (the open-source Socks proxy tunneller EarthWorm), and Esrde (with capabilities similar to VelvetSting).
Given the targeted organization, the deployment of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia assesses that Velvet Ant is a state-sponsored threat actor operating out of China.