Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection

Microsoft has identified a new hacking group it now tracks as Flax Typhoon that argets government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes.

The threat actor does not rely much on malware to gain and maintain access to the victim network and prefers using mostly components already available on the operating system, the so-called living-off-the-land binaries or LOLBins, and legitimate software.

Operating since at least mid-2021, Flax Typhoon mainly targeted organizations in Taiwan, although Microsoft discovered some victims in Southeast Asia, North America, and Africa.

Observed Flax Typhoon TTPs

In the campaign Microsoft observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications.

The hackers dropped  China Chopper, a small (4KB) yet powerful web shell that provides remote code execution capabilities.

If required, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Next, Flax Typhoon establishes persistence by turning off network-level authentication (NLA) through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP (Remote Desktop Protocol) connection.

“Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges,” explains Microsoft.

“From there, the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system.”

Adding the Registry key that disables NLA
Adding the Registry key that disables NLA (Microsoft)

To circumvent RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN (virtual private network) bridge to maintain the link between the compromised system and their external server.

The hackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup.

System service for launching SoftEther VPN
System service for launching SoftEther VPN (Microsoft)

To minimize the risk of detection, the attackers rename it to ‘conhost.exe’ or ‘dllhost.exe,’ thus masking it as a legitimate Windows component.

Moreover, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Microsoft says that the hackers use Windows Remote Management (WinRM), WMIC, and other LOLBins for lateral movement.

The researchers say that this China-based adversary frequently uses the Mimikatz tool to extract credentials from the ocal Security Authority Subsystem Service (LSASS) process memory and the Security Account Manager (SAM) registry hive.

Microsoft has not observed Flax Typhoon using the stolen credentials to extract additional data, which makes the actor’s main objective unclear at the moment.


Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and multi-factor authentication (MFA) should be enabled on all accounts.

Moreover, registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

Organizations that suspect a breach from this particular threat actor need to thoroughly examine their networks, as Flax Typhoon’s long dwell periods allow compromising multiple accounts, and alter system configuration for long-term access.


Source link