Cybersecurity researchers have identified a previously unreported threat cluster known as OP-512 that is actively targeting Microsoft Internet Information Services (IIS) servers using a custom built web shell framework designed for espionage operations. Security company ReliaQuest said it has assessed with moderate to high confidence that the activity is linked to China, citing operational patterns, target alignment and tactics that reflect intelligence priorities associated with China aligned cyber operations. Researchers said the activity was observed on a compromised IIS web server belonging to an organisation whose sector and geographic profile aligned with known intelligence interests. The discovery adds to growing concerns surrounding the increased targeting of internet facing IIS infrastructure by advanced threat groups over the past year.
According to ReliaQuest, OP-512 appears to operate independently despite sharing tactical similarities with other China aligned cyber clusters that have targeted IIS servers in recent months. Researchers noted that no direct overlap has yet been identified between OP-512 and previously documented threat actors, though the campaign marks the fourth known China aligned cluster to focus on IIS web servers within the past 12 months. The other groups include CL STA 0048, DragonRank and GhostRedirector. More recently, Cisco Talos reported that multiple Chinese speaking cybercrime groups had been sharing a variant of malware known as BadIIS to compromise IIS servers. Separately, IIS infrastructure has also been targeted by SHADOW EARTH 053 in espionage campaigns directed at government and defence sectors across South, East and Southeast Asia. Security analysts believe the repeated focus on IIS servers, particularly systems running outdated software, demonstrates that these environments remain attractive entry points for cyber espionage activity.
At the centre of OP-512’s operations is a custom web shell framework made up of three different web shells, each designed to provide remote access while reducing the likelihood of detection. ReliaQuest said the framework contains a combination of features not commonly observed together, including unique deployment generation for each compromise, cryptographic controls limiting access to attackers and automated reporting mechanisms that enable centralised management of infected systems at scale. To complicate forensic investigations, the threat cluster also employed timestomping techniques, which manipulate timestamps on files to create the appearance that malicious files have existed on a system for a longer period. Researchers explained that the attackers scanned nearby files and folders, calculated a median last modified timestamp and then adjusted the timestamps of their malicious files to blend into the surrounding environment. This method can make identifying suspicious activity significantly more difficult for defenders relying on conventional monitoring tools.
In the observed attack, OP-512 reportedly targeted a legacy IIS server running Windows Server 2016 with an end of life .NET Framework 4.0 environment. Researchers found signs of suspicious activity on the same server roughly 75 days before the primary intrusion, including DNS requests to an attacker controlled domain identified as ashx.lhlsjcb[.]com. During the later attack sequence, described by researchers as a rapid operational sprint, the attackers used the IIS worker process known as w3wp.exe to deploy one of the web shells into an application upload directory. The deployment activated an automated reporting mechanism that sent the web shell location back to attacker controlled infrastructure using DNS requests or HTTP communication as a fallback option. Once access was established, the attackers attempted to elevate privileges to SYSTEM level using Potato Suite and executed commands such as “whoami /priv” to confirm system permissions. ReliaQuest warned that organisations relying on detection methods tuned for previously known actors may remain vulnerable to OP-512 due to its customised tooling and specialised techniques, adding that unsupported and internet facing IIS servers continue to represent a preferred target for multiple cyber espionage groups.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
