Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where “OP” stands for “opponent”) that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.
ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.
“OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News.
Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it’s the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.
IIS servers have also been targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia.
Central to the operations of OP-512 is a custom web shell framework consisting of three web shells that grant the attackers remote access to the compromised host, while taking steps to evade signature-based detection and complicate forensic timelines using techniques like timestomping to intentionally manipulate the timestamps when the web shell artifacts are created or modified.
Specifically, this entails scanning every file and sub-folder around where the web shells are placed, calculating the median last-modified timestamp, and overwriting their own creation and modification times to match that value, thus giving the impression that they have been present for some time.
“This framework combines capabilities we rarely see together: each deployment is uniquely generated, access is restricted to the attacker through cryptographic controls, and compromised servers automatically report back for centralized management at scale,” ReliaQuest said.
OP-512 shares close tactical proximity to CL-STA-0048, which has raised the possibility that it either represents an existing cluster that has completely revamped its toolset or developed these capabilities independently on its own. Regardless of its origins, the hacking group is said to be a distinct cluster operating in an autonomous manner.
In the attack observed by the cybersecurity company, the threat actor has been found to target a legacy IIS server running Windows Server 2016 with end-of-life .NET Framework 4.0. There is evidence of prior activity on the same host, about 75 days before the main incident took place. This involved DNS queries to a different attacker-controlled domain (“ashx.lhlsjcb[.]com”).
The sequence of actions that unfolded weeks later has been described as a “sprint,” with the attacker using the web server’s worker process (“w3wp.exe”) to drop one of the web shells to the application’s upload directory. This, in turn, triggers a self-reporting mechanism that uses a DNS query or an HTTP request as a fallback to transmit the web shell’s location to an attacker-controlled domain.
“Together, the three web shells gave the attacker file management, authenticated command execution through two independent access paths, and automated reporting of the compromise, all before anyone had time to respond,” ReliaQuest researchers explained.
With the web shells deployed, OP-512 is said to have attempted to escalate privileges to the SYSTEM level using the Potato Suite, followed by running commands like “whoami /priv” to confirm their system rights.
“Four China-linked clusters targeting the same technology in under a year is unlikely to be a coincidence,” ReliaQuest said. “Internet-facing IIS servers running legacy, unsupported software remain a preferred entry point across this threat ecosystem and show no signs of slowing down.”
“What should concern defenders most is what makes OP-512 different. This threat cluster isn’t using commodity tooling and recycling it across campaigns. It’s using a purpose-built framework designed to defeat the detection methods that work against the other three clusters. Organizations that have tuned their defenses to known actors are likely not covered here.”
