top of page
Buscar

Web Server Exploits and Mimikatz Target Asian Critical Infrastructure

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 3 horas
  • 4 Min. de lectura

A long-running cyber campaign attributed to the China-linked activity cluster CL-UNK-1068 has targeted high-value organizations across South, Southeast, and East Asia, affecting sectors such as aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. According to research from Palo Alto Networks Unit 42, the attackers rely on a flexible toolkit combining custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs) to infiltrate web servers, maintain persistence, and steal sensitive information. While the cluster’s precise motivation remains officially unconfirmed, the scale of the campaign, the focus on critical infrastructure, and the emphasis on credential theft and sensitive data collection strongly indicate a cyber-espionage objective.


Phase 1 — Initial Access via Web Server Exploitation 


The attack chains typically begin with the exploitation of vulnerable web servers belonging to targeted organizations. Once the attackers obtain access to a server, they deploy web shells to establish a foothold and begin interacting directly with the compromised environment.

Two well-known web shells frequently used in these operations are:

  • Godzilla

  • ANTSWORD

Both tools enable attackers to run commands remotely through the compromised web server and act as a bridge for further post-exploitation activity. Because these tools are widely available and frequently used by multiple Chinese threat groups, they help the attackers blend their activity into normal malicious noise across the internet.

After deploying the web shell, the attackers pivot internally, moving laterally across connected systems to expand their control inside the environment.


Phase 2 — Internal Reconnaissance and Credential Harvesting 


Once access is established, the attackers begin reconnaissance and data harvesting. Their focus is primarily on configuration files, database backups, and credentials that could allow deeper access into the network.

One of the key directories targeted during these attacks is:

c:\inetpub\wwwroot

This directory typically contains the files used by Windows IIS web servers, making it a valuable source of configuration information.

Files targeted by the attackers include:

  • web.config

  • .aspx

  • .asmx

  • .asax

  • .dll

These files may reveal:

  • application secrets

  • authentication mechanisms

  • connection strings

  • database credentials

  • misconfigurations that could enable privilege escalation

Beyond web server files, the attackers also collect:

  • browser history and bookmarks

  • XLSX and CSV files from desktop and user directories

  • MS-SQL database backup files (.bak)

These artifacts often contain sensitive business data or credentials that can be reused for further access.


Phase 3 — Stealthy Data Exfiltration 


Instead of uploading stolen files directly, the attackers use an unusual technique designed to evade monitoring tools.

First, the files are compressed using WinRAR.

Then, they run the following command:

certutil -encode

This converts the archive into Base64-encoded text.

Instead of transferring the file itself, the attackers simply print the encoded text to the terminal output through the web shell. Because the web shell interface only displays command output, the attackers can copy the encoded data manually and reconstruct the archive externally.

This approach allows data exfiltration without uploading files from the compromised host, reducing the likelihood of triggering detection systems.


Phase 4 — Persistence and Post-Exploitation Tooling 


To maintain long-term access and expand their capabilities, the attackers deploy a wide range of tools across both Windows and Linux environments.


Remote access and tunneling


  • FRP (Fast Reverse Proxy) for covert network tunneling.


Privilege escalation


  • PrintSpoofer, a known Windows privilege-escalation tool.


Reconnaissance utilities


  • ScanPortPlus, a custom Go-based scanner used to identify accessible services.

  • SuperDump, a .NET reconnaissance tool previously used in earlier intrusions.


DLL side-loading for stealth execution


Attackers also abuse legitimate Python binaries:

  • python.exe

  • pythonw.exe

These binaries are used to perform DLL side-loading attacks, allowing malicious DLLs to run while appearing as legitimate Python processes.


Phase 5 — Credential Theft and Memory Extraction 


A major component of the campaign is credential harvesting, which allows attackers to access additional systems and services inside the network.

The toolkit used for credential extraction includes:

  • Mimikatz — dumps plaintext credentials from memory

  • LsaRecorder — hooks LsaApLogonUserEx2 to capture login passwords

  • DumpItForLinux — memory dump tool for Linux systems

  • Volatility Framework — analyzes memory dumps to extract password hashes

  • SQL Server Management Studio Password Export Tool — extracts credentials stored in the sqlstudio.bin file used by SSMS


Together, these tools allow attackers to obtain:


  • domain credentials

  • database access information

  • administrator passwords

  • service account credentials


This enables them to move deeper into the environment and maintain persistence across multiple systems.


Measures to Fend Off the Attack 


Organizations can reduce exposure to campaigns like this by implementing the following defensive measures:

  • Patch and harden internet-facing web servers to prevent exploitation.

  • Monitor for web shell activity and unusual server-side command execution.

  • Detect suspicious use of certutil with Base64 encoding.

  • Monitor processes such as python.exe/pythonw.exe launching DLL files.

  • Restrict and monitor credential-dumping tools such as Mimikatz.

  • Audit access to IIS directories and database backup files.

  • Deploy behavioral EDR solutions capable of detecting lateral movement and credential theft.

  • Monitor outbound traffic for FRP tunnels or abnormal data exfiltration patterns.

  • Conduct regular privileged credential rotation and access audits.


The CL-UNK-1068 campaign illustrates how threat actors can successfully infiltrate critical infrastructure by combining simple but effective techniques with widely available tools. Instead of relying solely on sophisticated malware, the attackers leverage web shells, credential-dumping utilities, and legitimate system binaries to maintain a stealthy presence across both Windows and Linux environments.


Their ability to operate quietly within compromised networks for extended periods highlights a growing trend in cyber-espionage operations: blending into normal system activity rather than deploying highly visible malware. By exploiting web servers, harvesting credentials, and using creative exfiltration techniques such as Base64 command output, the attackers can quietly extract sensitive information from strategically important organizations.

For organizations operating in critical sectors, strengthening web server security, monitoring credential access, and deploying advanced behavioral detection tools remain essential steps to counter such long-term infiltration campaigns.



The Hacker News


 
 
 

Comentarios

bottom of page