Flax Typhoon Adopts Living-of-the-Land Binaries

According to a recent report published by Microsoft, a series of attack campaigns targeting organizations in Taiwan.

Security researchers at the Redmond tech giant have attributed the attacks to an advanced persistent threat actor tracked by Microsoft as Flax Typhoon.

Flax Typhoon Adopts Living-of-the-Land Binaries

The activities of this threat actor appear to overlap with Ethereal Panda, strongly suggesting that Flax Typhoon operates as a nation-state-linked threat group based in China.

Flax Typhoon seems to be geared towards cyber espionage operations as their tactics and techniques are geared towards the stealthy compromise of targeted networks across various industries.

Microsoft noted that in the current campaign targeting Taiwan, the threat actor's tactics for achieving and maintaining unauthorized access to target networks involve the use of valid accounts and living-off-the-land binaries (LOLBins).

This inevitably makes detecting and mitigating this attack challenging. Concerning the use of LOLBins, they are binaries of a non-malicious nature, local to the operating system, but are used by cybercriminals to camouflage their malicious activity.

LOLBins are often Microsoft-signed binaries, such as Certutil and Windows Management Instrumentation Command-line (WMIC). They can be used for various attacks, including executing code, performing file operations (downloading, uploading, copying, etc.), and stealing passwords. Operations are typically required in cyber espionage operations.

Diving deeper into the campaign discovered by Windows researchers, initial access to targeted infrastructure is typically done by exploiting known vulnerabilities with public-facing servers.

While the services targeted to grant initial access are varied, the following have been seen to be successfully targeted: VPN services, web services, Java, and SQL applications. The payload in these instances is a web shell geared towards remote code execution on now compromised systems.

As for privilege escalation, Microsoft notes,

In cases where the process compromised via web shell does not have local administrator privileges, Flax Typhoon downloads and runs a piece of malware that exploits one or more known vulnerabilities to obtain local system privileges. Microsoft has observed the actor use Juicy Potato, BadPotato, and other open-source tools to exploit these vulnerabilities.

Threat actors will then take several measures to ensure their presence remains persistent on the compromised network, including disabling network-level authentication. Here, we also encounter the use of living-off-the-land tactics as the threat actor will abuse Windows Sticky Keys.

Researchers noted,

Sticky Keys is an accessibility feature in Windows that allows users to press modifier keys (such as Shift, Ctrl, Alt) one at a time instead of simultaneously. It includes a shortcut where the user can press the Shift key five times in succession to launch sethc.exe, the program that manages Sticky Keys. The user can invoke this shortcut at any time, including at the sign-in screen. To take advantage of this feature, Flax Typhoon changes a registry key that specifies the location of sethc.exe. The actor adds arguments that cause the Windows Task Manager to be launched as a debugger for sethc.exe. As a result, when the actor uses the Sticky Keys shortcut on the Windows sign-in screen, Task Manager launches with local system privileges.

This is essentially done to allow the threat actor access to a compromised machine via Remote Desktop Protocol (RDP). Then, abuse the Sticky Keys feature to the sign-in screen and access Task Manager with local system privileges. From this point, the machine or network is at the threat actors' mercy.

Who is Flax Typhoon?

According to Microsoft, Flax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan.

While organizations in Taiwan make up the majority of targets, several victims have been discovered in Southeast Asia, as well as in North America and Africa. The threat actors focus on persistence, lateral movement, and credential access.

Summarizing the group's tactics, Microsoft states,

Flax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. However, Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Following initial access, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then deploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from compromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.

To help mitigate the threat posed by Flax Typhoon and other threat actors who use LOLBins maliciously, administrators are advised to:

  • Keep public-facing servers up to date so as to better defend against malicious activity. Public-facing servers need additional monitoring and security as prime targets for threat actors. Further, user input validation, file integrity monitoring, behavioral monitoring, and web application firewalls can all help to secure these servers better.
  • Monitor the Windows registry for unauthorized changes. The  Windows Audit Registry feature allows administrators to generate events when specific registry keys are modified. Such policies can detect registry changes that undermine the security of a system, like those made by Flax Typhoon.
  • Use network monitoring and intrusion detection systems to identify unusual or unauthorized network traffic. If an organization does not use RDP for a specific business purpose, any RDP traffic should be considered unauthorized and generate alerts.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal