Microsoft Identifies Flax Typhoon Hackers Leveraging LOLBins for Stealthy Operations

Microsoft has uncovered a novel hacking group, dubbed Flax Typhoon, which appears to be targeting government agencies, education institutions, critical manufacturing facilities, and information technology organizations, presumably for espionage purposes.

In a distinct approach, this threat actor relies minimally on malware to infiltrate and maintain control over victim networks. Instead, they harness existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), as well as legitimate software.

Flax Typhoon has been operational since at least mid-2021, primarily focusing on entities within Taiwan. However, Microsoft has detected instances of their activity in Southeast Asia, North America, and Africa.

Throughout their observed campaign, Flax Typhoon initiates their intrusion by exploiting well-known vulnerabilities in publicly accessible servers. These vulnerabilities span VPN, web, Java, and SQL applications.

The attackers deploy a web shell named “China Chopper,” a compact yet potent tool (4KB) capable of executing remote code.

If necessary, the group elevates their privileges to administrator status using publicly available tools like ‘Juicy Potato’ and ‘BadPotato,’ which exploit established vulnerabilities to acquire higher permissions.

Following initial access, Flax Typhoon establishes persistence by altering the registry to disable network-level authentication (NLA) and capitalizing on the Windows Sticky Keys accessibility feature to forge a Remote Desktop Protocol (RDP) connection.

Microsoft elaborates, “Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges. From there, the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system.”

To circumvent RDP connectivity constraints, Flax Typhoon installs a legitimate VPN bridge to maintain communication between the compromised system and their external server. They employ open-source tools like the SoftEther VPN client, utilizing LOLBins such as PowerShell Invoke-WebRequest utility, certutil, and bitsadmin. The hackers manipulate built-in Windows tools to configure the VPN application to automatically launch during system startup.

In a bid to remain inconspicuous, the attackers rename the VPN executable to ‘conhost.exe’ or ‘dllhost.exe,’ disguising it as a legitimate Windows component. Additionally, Flax Typhoon employs SoftEther’s VPN-over-HTTPS mode to mask VPN traffic as regular HTTPS traffic.

For lateral movement within the compromised network, the group leverages Windows Remote Management (WinRM), WMIC, and other LOLBins.

Mimikatz, a well-known tool, is frequently employed by this China-based adversary to extract credentials from the Local Security Authority Subsystem Service (LSASS) process memory and the Security Account Manager (SAM) registry hive.

As of now, Microsoft has not observed Flax Typhoon utilizing the pilfered credentials to extract further data, leaving their primary objective somewhat enigmatic.

In response to this emerging threat, Microsoft recommends organizations to promptly apply the latest security updates to externally accessible endpoints and public-facing servers. Enabling multi-factor authentication (MFA) across all accounts is also advised.

Furthermore, organizations are encouraged to monitor the registry for unauthorized changes, such as those enacted by Flax Typhoon to disable NLA. Suspected breaches by this specific threat actor warrant meticulous network scrutiny, given their propensity for extended dwell periods, which can result in the compromise of multiple accounts and alterations to system configurations for persistent access.