Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

China-linked threat actor Velvet Ant leveraged a legacy F5 BIG-IP appliance for three-year access to a victim’s network.

A Chinese state-sponsored threat actor was seen maintaining persistent access to a victim organization’s network for three years using a legacy F5 BIG-IP appliance, cybersecurity firm Sygnia reports.

Dubbed Velvet Ant, the threat actor used multiple mechanisms to ensure a foothold in the organization’s network, quickly pivoting from addressed mechanisms to new ones and showing adaptability in evading detection.

“This threat actor had infiltrated the organization’s network at least two years prior to the investigation, and had succeeded in gaining a strong foothold, and intimate knowledge of the network,” the cybersecurity firm notes.

Velvet Ant was seen using various tools and techniques to compromise critical systems and access sensitive data, and deployed dormant persistence mechanisms in unmonitored systems, including the PlugX remote access trojan (RAT).

The threat actor was observed employing DLL search order hijacking, DLL sideloading, and phantom DLL loading, as well as tampering with the installed security software before deploying the PlugX malware.

Demonstrating a high level of operational security (OPSEC) awareness, the hacking group did not install the malware on a workstation on which it failed to disable the security software.

Velvet Ant also used the open source tool Impacket for lateral tool transfer and remote code execution on compromised machines, and created firewall rules to allow connections to the command-and-control (C&C) server.

After eliminating the threat actor from the victim’s network, Sygnia observed it infecting new machines with PlugX samples reconfigured to use an internal server as C&C, and channeling external communication with the malware through that server.

Advertisement. Scroll to continue reading.

Essentially, the threat actor infected systems that had internet access with a PlugX version configured with an external C&C server, to exfiltrate sensitive information, and infected a legacy server with the malware iteration that did not have a C&C.

Velvet Ant maintained access to the legacy file server through two F5 BIG-IP appliances running outdated, vulnerable software, using a reverse SSH tunnel connection.

“The PlugX instance on the compromised file server was used by the threat actor as an internal C&C server. From this server, the threat actor conducted reconnaissance activities, deployed additional instances of the PlugX onto legacy servers by leveraging Impacket’s WmiExec,” Sygnia notes.

The compromised F5 BIG-IP appliances were used by the victim for firewall, WAF, load balancing and local traffic management services. Both devices were directly exposed to the internet and they may have been hacked through the exploitation of known vulnerabilities.

On one of the compromised F5 appliances, the threat actor deployed tools such as VelvetSting (for receiving commands from the C&C), VelvetTap (to capture network packets), Samrid (the open source Socks proxy tunneller EarthWorm), and Esrde (with the same capabilities as VelvetSting).

Considering the targeted organization, the use of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia believes that Velvet Ant is a state-sponsored threat actor operating out of China.

Related: In Other News: China’s Undersea Spying, Hotel Spyware, Iran’s Disruptive Attacks

Related: UK, New Zealand Accuse China of Cyberattacks on Government Entities

Related: US Treasury Slaps Sanctions on China-Linked APT31 Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights