China-Linked Velvet Ant Uses F5 BIG-IP Malware in Cyber Espionage Campaign

Chinese cyberespionage group Velvet Ant has been observed using custom malware to target F5 BIG-IP appliances in a sophisticated campaign aimed at breaching and persisting within target networks.

In late 2023, Sygnia researchers responded to an incident at a large organization, attributing the attack to Velvet Ant. The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network and exfiltrate sensitive data.

Persistent Threat

Velvet Ant maintained access within the organization’s on-premises network for approximately three years. They achieved persistence by establishing multiple footholds within the environment, exploiting a legacy F5 BIG-IP appliance exposed to the internet, which served as an internal Command and Control (C&C) server. When one foothold was discovered and remediated, the threat actor quickly adapted, demonstrating their agility and deep understanding of the target’s network infrastructure.

“The compromised organization had two F5 BIG-IP appliances providing services such as firewall, WAF, load balancing, and local traffic management. Both appliances, running outdated and vulnerable operating systems, were directly exposed to the internet. The threat actor likely leveraged these vulnerabilities to gain remote access,” reads the analysis published by Sygnia. “A backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.”

Malware Deployment

Once the attackers compromised the F5 BIG-IP appliances, they accessed internal file servers and deployed the PlugX remote access Trojan (RAT), a tool commonly used by multiple Chinese APT groups in cyberespionage campaigns.

Forensic analysis of the F5 appliances revealed four additional malware binaries deployed by Velvet Ant:

  1. VELVETSTING: Connects to the threat actor’s C&C server once an hour, searching for commands to execute via ‘csh’ (Unix C shell).
  2. VELVETTAP: Captures network packets.
  3. SAMRID (EarthWorm): An open-source SOCKS proxy tunneler used by other China-linked APT groups such as Volt Typhoon, APT27, and Gelsemium.
  4. ESRDE: Similar to VELVETSTING but uses ‘bash’ instead of ‘csh’.

Recommendations for Mitigation

To mitigate attacks from groups like Velvet Ant, organizations should:

  • Limit outbound internet traffic.
  • Restrict lateral movement within the network.
  • Enhance security hardening of legacy servers.
  • Mitigate credential harvesting.
  • Protect public-facing devices.

The Sygnia report also includes indicators of compromise (IoCs) for the analyzed attack, providing valuable insights for organizations to strengthen their defenses against similar threats.

Key Takeaways

Velvet Ant’s campaign highlights the importance of securing legacy systems and implementing robust monitoring and response strategies to detect and mitigate advanced persistent threats (APTs). Organizations must remain vigilant and proactive in addressing vulnerabilities within their networks to prevent espionage and data breaches by sophisticated threat actors.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.