Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia

Key Takeaways

• Suspected China-based threat actor (CL-STA-1087) targeting Southeast Asian military organizations since at least 2020.
• Attackers utilize custom backdoors named AppleChris and MemFun, alongside a modified Mimikatz variant called Getpass.
• Extensive use of Dead Drop Resolvers (DDR) via Pastebin and Dropbox to dynamically resolve C2 infrastructure.
• Techniques include DLL hijacking, process hollowing, timestomping, and reflective DLL loading to evade detection.
• Operations align with UTC+8 business hours, focusing on highly targeted intelligence collection rather than bulk data theft.

Affected Systems

• Windows OS
• Domain controllers
• Web servers
• IT workstations
• Executive-level assets

Attack Chain

The attackers gained an initial foothold on an unmanaged endpoint and maintained persistence using PowerShell scripts that beaconed to C2 servers. They moved laterally using WMI and remote service creation (sc.exe) to deploy the AppleChris backdoor via DLL hijacking of the Volume Shadow Copy Service (swprv). Concurrently, they deployed the MemFun backdoor using process hollowing into dllhost.exe and reflective DLL loading. Both backdoors utilized Dead Drop Resolvers (Pastebin/Dropbox) to dynamically obtain C2 infrastructure, enabling the attackers to deploy the Getpass tool for credential harvesting and selectively exfiltrate sensitive military intelligence.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Cortex XDR, Advanced WildFire

The article does not provide raw detection rules, but notes that Palo Alto Networks Cortex XDR and Advanced WildFire have built-in BIOCs and behavioral detections for the observed activities, such as non-browser access to Pastebin and suspicious remote service creation.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process injection (hollowing dllhost.exe), DLL hijacking (swprv32.sys), remote service creation, and specific command-line executions (rundll32.exe with specific exports) which are highly visible to modern EDR sensors. Network Visibility: Medium — While C2 traffic is encrypted, the use of custom HTTP verbs (POT, DPF, etc.) and beaconing to known DDRs (Pastebin) from non-browser processes provides distinct network anomalies. Detection Difficulty: Moderate — The use of legitimate services (Dropbox, Pastebin) for DDR and in-memory execution complicates static detection, but the behavioral anomalies (custom HTTP verbs, specific mutexes, DLL hijacking of swprv) provide solid detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Registry Modifications (Sysmon 12/13/14)
• Service Creation (Event ID 7045 / 4697)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for non-browser processes (like svchost.exe or dllhost.exe) initiating network connections to pastebin.com or dropbox.com, which may indicate Dead Drop Resolver usage.	Network connection logs mapped to process execution	Command and Control	Low to Medium
Search for registry modifications targeting the ServiceDll value of the Volume Shadow Copy Service (swprv) pointing to unexpected paths like C:\Windows\System32\swprv32.sys.	Registry modification logs	Persistence	Low
Monitor for the execution of rundll32.exe calling a DLL from the C:\ProgramData\ directory with the export function 'vncpass'.	Process creation logs with command-line arguments	Credential Access	Low
Detect HTTP traffic utilizing non-standard HTTP verbs such as POT, DPF, UPF, CPF, LPF, or Q.	Web proxy or Layer 7 firewall logs	Command and Control	Low

Control Gaps

• Unmanaged endpoints lacking EDR coverage allowed initial persistence
• Lack of strict egress filtering allowed connections to Pastebin/Dropbox from critical servers

Key Behavioral Indicators

• Mutexes: 0XFEXYCDAPPLE05CHRIS, GOOGLE
• Custom HTTP verbs (POT, DPF, etc.)
• svchost.exe accessing pastebin.com
• Creation of WinSAT.db after LSASS access

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Isolate any endpoints communicating with the identified C2 IPs or exhibiting the AppleChris/MemFun mutexes.
• Block the identified C2 IP addresses and domains at the perimeter firewall.
• Hunt for the presence of swprv32.sys, gp64.dll, and WinSAT.db on Windows systems.

Infrastructure Hardening

• Implement strict egress filtering to block access to file-sharing sites like Pastebin and Dropbox from critical servers and domain controllers.
• Ensure all endpoints, especially those in sensitive network segments, are managed and have active EDR agents installed.
• Restrict lateral movement by disabling unnecessary remote services (e.g., remote WMI, remote service creation) between workstation endpoints.

User Protection

• Deploy LSA Protection to prevent unauthorized processes from reading LSASS memory, mitigating the Getpass tool.
• Enforce multi-factor authentication (MFA) across all administrative access to limit the impact of compromised credentials.

Security Awareness

• Educate security operations teams on the concept of Dead Drop Resolvers (DDR) and how legitimate cloud services can be abused for C2.

MITRE ATT&CK Mapping

• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1070.006 - Indicator Removal: Timestomp
• T1003.001 - OS Credential Dumping: LSASS Memory
• T1055.012 - Process Injection: Process Hollowing
• T1620 - Reflective Code Loading
• T1102.001 - Web Service: Dead Drop Resolver
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1047 - Windows Management Instrumentation
• T1543.003 - Create or Modify System Process: Windows Service

Additional IOCs

• Ips:
  • 8[.]212[.]169[.]27 - C2 server
  • 8[.]220[.]135[.]151 - C2 server
  • 8[.]220[.]177[.]252 - C2 server
  • 116[.]63[.]177[.]49 - C2 server
  • 118[.]194[.]238[.]51 - C2 server
  • 154[.]39[.]137[.]203 - C2 server
  • 109[.]248[.]24[.]177 - C2 server
• Urls:
  • hxxps://8[.]220[.]184[.]177:443/connect - C2 connection URL extracted from PowerShell script
• File Hashes:
  • 5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c (sha256) - AppleChris backdoor (Tunneler variant)
  • 0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952 (sha256) - AppleChris backdoor (Tunneler variant)
  • 413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f (sha256) - AppleChris backdoor (Dropbox variant)
  • 2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae (sha256) - AppleChris backdoor (Dropbox variant)
• Registry Keys:
  • HKLM\system\CurrentControlSet\services\swprv\Parameters - Modified to point ServiceDll to the malicious AppleChris DLL for persistence
• File Paths:
  • C:\Windows\System32\swprv32.sys - AppleChris malicious DLL used in DLL hijacking
  • C:\windows\update.exe - AppleChris Tunneler variant executable
  • C:\ProgramData\Cyvera\gp64.dll - Getpass credential harvester DLL masquerading as a Palo Alto Networks tool
  • WinSAT.db - File used by Getpass to store stolen credential data
• Command Lines:
  • Purpose: Start the hijacked Volume Shadow Copy Service to execute the AppleChris backdoor | Tools: cmd.exe, sc.exe | Stage: Execution | cmd.exe /c sc start swprv
  • Purpose: Modify the registry to establish DLL hijacking persistence for the swprv service | Tools: reg.exe | Stage: Persistence
  • Purpose: Create a remote service for lateral movement and execution | Tools: sc.exe | Stage: Lateral Movement | sc \\<target_ip> create winsv binpath= "cmd.exe /c c:\windows\update.exe"
  • Purpose: Execute remote commands via WMI for lateral movement | Tools: wmic.exe | Stage: Lateral Movement | wmic /node: /user: /password: process call create
  • Purpose: Execute the Getpass credential harvester DLL via its specific export function | Tools: rundll32.exe | Stage: Credential Access | rundll32.exe C:\ProgramData\Cyvera\gp64.dll,vncpass
• Other:
  • 0XFEXYCDAPPLE05CHRIS - Mutex created by the AppleChris backdoor
  • GOOGLE - Mutex created by the MemFun in-memory downloader
  • POT, DPF, UPF, CPF, LPF, Q - Custom HTTP verbs used by AppleChris and MemFun for C2 communication