China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy

Analysis

Chinese state‑linked threat groups such as APT41, Kelp (Salt Typhoon), Space Pirates and the Earth Longzhi sub‑group conducted a multi‑stage intrusion against a U.S. non‑profit that influences government policy. The attackers performed initial scanning for known exploits (e.g., CVE‑2022‑26134, CVE‑2021‑44228, CVE‑2017‑9805, CVE‑2017‑17562), used curl to test connectivity, gathered network data with netstat, created scheduled tasks for persistence, performed DLL sideloading via the legitimate VipreAV component vetysafe.exe, and employed tools like Dcsync and Imjpuexc. The campaign aimed to maintain long‑term stealthy access and potentially compromise domain controllers.

Investigation

The investigation identified a series of ATT&CK techniques: Reconnaissance (T1595) via mass scanning for vulnerable services; Initial Access (T1190) using exploits CVE‑2022‑26134, CVE‑2021‑44228, CVE‑2017‑9805, CVE‑2017‑17562; Command‑and‑Control testing with curl requests to external sites (https://www.google.com , https://www.microsoft.com , etc.); Discovery (T1049) using netstat to enumerate network connections; Persistence (T1053) through a scheduled task created with schtasks /create /tn \Microsoft\Windows\Ras\Outbound; Defense Evasion (T1574.002) via DLL sideloading of sbamres.dll through vetysafe.exe; Credential Access (T1003) using Dcsync to replicate directory data; Execution (T1059) of custom loader and Imjpuexc. Tools observed included legitimate Windows utilities (netstat, schtasks), curl, msbuild.exe, vetysafe.exe (VipreAV), sbamres.dll, Dcsync, Imjpuexc, and custom encrypted loader. Indicators of Compromise (IOCs) such as hash values for sbamres.dll, imjpuexc.exe, and network traffic to hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2 were recorded.

Mitigation

• • Patch all vulnerable software immediately, especially Atlassian products (CVE‑2022‑26134), Log4j (CVE‑2021‑44228), Apache Struts (CVE‑2017‑9805) and GoAhead (CVE‑2017‑17562).
• • Implement application control (e.g., AppLocker, Windows Defender Application Control) to block unauthorized execution of common utilities such as curl, msbuild.exe, and custom loaders from non‑standard directories.
• • Enforce strict least‑privilege policies; restrict the creation of scheduled tasks to authorized administrators only. Deploy DLL sideloading detection rules and monitor for execution of known legitimate binaries loading unexpected DLLs (e.g., vetysafe.exe loading sbamres.dll).
• • Enable monitoring for Dcsync activity and anomalous replication requests on domain controllers.
• Segment networks to limit lateral movement and isolate critical assets such as domain controllers.
• • Conduct regular vulnerability scanning and threat‑intel‑driven exploit‑prevention based on emerging CVEs.
•  

Response

• • Isolate the compromised host(s) and any systems showing similar IOCs.
• • Capture volatile memory and disk images for forensic analysis.
• • Remove malicious scheduled tasks and delete unknown XML files used by msbuild.exe.
• • Replace or clean compromised binaries (vetysafe.exe, msbuild.exe) and verify signatures.
• • Rotate credentials, especially for privileged accounts and domain admin accounts; audit for credential dumping.
• • Block outbound C2 traffic to the malicious host (hxxp://38.180.83[.]166).
• • Conduct a full domain controller audit to ensure no backdoors or persistence mechanisms remain.
• • Update detection signatures in SIEM and endpoint tools for the observed tools and IOCs.
•  

Simulation Instructions

• Attack Narrative & Commands:

  1. Persistence via msbuild.exe – The attacker crafts a malicious XML project (evil.xml) that runs a PowerShell payload to download a back‑door DLL.
  2. DLL sideloading with vetysafe.exe – A malicious DLL (evil.dll) is placed alongside vetysafe.exe; executing vetysafe.exe loads the DLL, achieving code execution (T1055.001/T1574.001).
  3. Network reconnaissance with netstat.exe – The attacker runs netstat -ano to enumerate active connections, gathering data for lateral movement (T1049).

• Regression Test Script:

  # ---------------------------------------------------------
  # Attack Simulation – triggers Sigma rule for vetysafe, msbuild, netstat
  # ---------------------------------------------------------
  
  # 1. Prepare malicious DLL (simple alert for demo)
  $dllPath = "$env:TEMP\evil.dll"
  Set-Content -Path $dllPath -Value ([byte[]](0x4D,0x5A,0x90,0x00)) # Fake PE header
  
  # 2. Copy vetysafe.exe (assume present in C:\Windows\System32) to temp folder
  $vetysafe = "$env:SystemRoot\System32\vetysafe.exe"