Researchers that were called to investigate a cyberattack on a large organization in late 2023 have traced the activity to a sophisticated Chinese-linked threat actor group dubbed ‘Velvet Ant,’ based on tactics and infrastructure.
The investigation found that Velvet Ant infiltrated the company’s network at least three years prior to the incident using the remote access trojan PlugX, which granted the threat actors access to sensitive systems across the enterprise environment.
Velvet Ant Campaign Used Evasive Tactics
Researchers from Sygnia disclosed that the attack began with the compromise of the organization’s internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic .
The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network.
During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Ant’s operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection.
The researchers identified the placement of 4 additional malware programs on compromised F5 appliances:
- VELVETSTING – This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
- VELVETTAP – Malware seems to have been monitoring and capturing data from the F5 internal network interface.
- SAMRID – This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher’s investigation, it may have provided the attackers remote access.
- ESRDE – This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.
The VELVET programs were set up to restart upon reboot of compromised F5 appliances. These additional malware payloads were likely intended to provide attackers with multiple backdoors even after the discovery and removal of the initial malware. Each infection had been carefully established to resist removal various and facilitate additional infiltration.
Organizations Systems Were Reinfected Upon Malware Removal
After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control.
This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs).
The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
