China-linked Flax Typhoon APT targets Taiwan

China-linked APT group Flax Typhoon targeted dozens of organizations in Taiwan as part of a suspected espionage campaign.

Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations in Taiwan.

The researchers observed Flax Typhoon gaining and maintaining long-term access to Taiwanese organizations’ networks with minimal use of malware. The group relies on tools built into the operating system, along with some legitimate software. Microsoft has not observed

The group has been active since mid-2021, it focuses on government agencies and education, critical manufacturing, and information technology organizations in Taiwan. 

Flax Typhoon was observed using the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. The group primarily relies on living-off-the-land techniques and hands-on-keyboard activity.

The APT’s attack chain commences by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Upon gaining initial access to the target networks, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then establish a VPN connection to C2 infrastructure, and finally collect credentials from compromised systems. The state sponsored hackers also uses the VPN access to scan for vulnerabilities in targeted organizations.

A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active since mid-2021.

“To deploy the VPN connection, Flax Typhoon downloads an executable file for SoftEther VPN from their network infrastructure. The actor downloads the tool using one of several LOLBins, such as the PowerShell Invoke-WebRequest utility, certutil, or bitsadmin. Flax Typhoon then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts.” continues the report. “This could allow the actor to monitor the availability of the compromised system and establish an RDP connection.”

Threat actors were spotted modifying the Sticky Keys behavior to launch Task Manager and to carry out post-exploitation activities.

Microsoft also provided instructions on how to investigate suspected compromised accounts or affected systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyberespionage)