Velvet Ant Activity Detection: China-Backed Cyber-Espionage Group Launches a Prolonged Attack Using Malware Deployed on the F5 BIG-IP Devices

[post-views]
June 18, 2024 · 4 min read
Velvet Ant Activity Detection: China-Backed Cyber-Espionage Group Launches a Prolonged Attack Using Malware Deployed on the F5 BIG-IP Devices

The China-linked cyber-espionage group Velvet Ant has been infiltrating F5 BIG-IP devices for about three years, using them as internal C2 servers, deploying malware, and gaining persistence to smartly evade detection and steal sensitive data.

Detect Velvet Ant Attacks

In Q1 2024, APT groups from various regions, including China, North Korea, Iran, and Russia, demonstrated a significant increase in dynamic and innovative offensive capabilities, posing substantial challenges to the global cybersecurity landscape. This trend is escalating, with the recently revealed cyber-espionage campaign by the China-nexus Velvet Ant APT being the latest markup of the extensive attack surface that organizations are currently coping with.

To stay ahead of adversaries and spot malicious activity associated with the latest Velvet Ant campaign, SOC Prime Platforms offers a dedicated pack of Sigma rules. Just hit the Explore Detections button below or access the detection stack directly using the “Velvet Ant” tag in the Threat Detection Marketplace. 

Explore Detections

All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to MITRE ATT&CK®. Additionally, detections are enriched with extensive metadata, CTI references, and attack timelines to smooth out threat investigation. 

Velvet Ant Activity Analysis

Sygnia researchers have conducted a forensic analysis of the persistent malicious activity linked to a China-nexus nation-backed group dubbed Velvet Ant. Chinese cyber-espionage threat actors have been observed behind a prolonged sophisticated attack on the East Asian organization. The attackers weaponized legacy F5 BIG-IP devices as an internal C2 system for persistence and detection evasion, leading to stealthy data theft from the compromised instances. Notably, Velvet Ant had infiltrated the organization’s network at least two years before the investigation. During this time, they managed to establish a strong foothold and gain detailed knowledge of the network.

The infection chain involved the use of a nefarious PlugX backdoor (aka Korplug), a modular RAT frequently leveraged by Chinese-affiliated cyber-espionage maintainers like Earth Preta APT. PlugX heavily relies on DLL side-loading to compromise target devices. Adversaries also attempted to disable the organization’s EDR solution before installing PlugX with the help of open-source tools like Impacket to move laterally across the network.

Velvet Ant reconfigured PlugX to serve as an internal C2 server while channeling traffic through this server. This facilitated defense evasion, enabling the C2 traffic to blend with legitimate internal network traffic.

According to the research, the impacted organization had two F5 BIG-IP appliances that provided services such as firewalls, WAF, load balancing, and local traffic management. They both ran an outdated OS, enabling adversaries to easily weaponize one of these security flaws to obtain remote access to the devices. 

Adversaries deployed additional malware on the compromised F5 instances, including VELVETSTING, which connected to the threat actor’s C2 every hour to check for commands to execute, and VELVETTAP, which was used to capture network packets. Other utilities from the adversary toolkit include SAMRID, an open-source SOCKS proxy tunneler employed by various Chinese APT groups, including Volt Typhoon, and ESRDE, which has capabilities similar to those of the VELVETSTING tool. 

The increasing sophistication of the latest Velvet Ant’s attack and the actors’ capability to smartly evade detection underscores the need for robust defense strategies against APT attacks. As potential F5 BIG-IP malware mitigation measures, defenders recommend restricting outbound internet traffic, limiting lateral movement within the network, and improving system hardening for both legacy and public-facing devices. By leveraging SOC Prime’s Attack Detective SaaS solution, organizations can gain from real-time data and content audits for comprehensive threat visibility and improved detection coverage, explore high-fidelity detection stack for alerting, and enable automated threat hunting to quickly identify and tackle cyber threats before they escalate. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts