Threat Cluster Overview
Security researchers have identified a previously unknown threat cluster, designated OP-512, that is actively targeting Microsoft Internet Information Services (IIS) servers. The group deploys a custom web shell framework designed to maintain persistent remote access on compromised systems. According to ReliaQuest, the espionage focused activity is assessed with moderate to high confidence as being linked to China based adversaries.
This marks the fourth distinct threat group within the past year to specifically target IIS servers, following similar campaigns by other China aligned actors. The attackers appear to be conducting intelligence gathering operations through compromised web servers in sectors and geographic regions that align with Chinese intelligence priorities.
Technical Operations and Evasion
The OP-512 framework includes three distinct web shells that provide remote access capabilities while employing sophisticated evasion techniques. Each deployment is uniquely generated, and access is cryptographically restricted to prevent unauthorized use. The framework actively scans every file and subfolder around the web shell locations, calculating the median last modified timestamp from legitimate files.
Using a technique called timestomping, the attackers overwrite the creation and modification times of their web shell artifacts to match this calculated median value. This makes the malicious files appear as though they have been present on the server for an extended period, complicating forensic investigations and helping the threat actors avoid signature based detection systems.
Source: The Hacker News
