Infrastructure-Centric Espionage: China-Linked Actors Compromise Southeast Asian Edge Routers

A sophisticated espionage campaign, attributed to China-nexus threat actors, is currently targeting organizations across Southeast Asia.

Unlike traditional attacks that focus on individual workstations, this operation utilizes an infrastructure-centric approach by compromising Linux-based edge routers. By establishing a foothold at the network perimeter, attackers gain the ability to manipulate downstream traffic and bypass many endpoint-centric security solutions.

The campaign employs a dual-platform strategy: a custom 64-bit Linux ELF implant on the router to control the gateway, paired with a cracked Cobalt Strike Beacon on Windows endpoints to maintain unified command-and-control (C2) over the entire environment.

Campaign Overview Diagram
Campaign Overview (Source: Qiita)

The Perimeter Foothold: Linux-Based Router Exploitation

As detailed in recent technical analysis by Qiita, the attackers target Linux-based border gateways to achieve root-level access. This positioning allows them to monitor, redirect, or weaponize every packet entering or exiting the network.

Payload Analysis: router.elf

The primary payload, router.elf, is a highly optimized, statically linked, and stripped x86-64 binary. The use of Position-Independent Executable (PIE) compilation and symbol stripping indicates a high level of tradecraft designed to complicate memory forensics and reverse engineering.

To evade detection, the implant utilizes several advanced obfuscation techniques:

  • Multi-layered Encryption: Configuration data (C2 domains and HTTP profiles) is protected via a custom Xorshift-based stream cipher layered over a standard XOR routine.
  • Runtime De-obfuscation: Sensitive strings, such as file paths and process names, are obfuscated with a single-byte XOR routine and only decrypted in memory during execution.
  • DNS over HTTPS (DoH): To circumvent traditional DNS monitoring (Port 53), the implant resolves C2 domains through Cloudflare’s DoH endpoint (cloudflare-dns.com), effectively hiding its resolution activity within encrypted HTTPS traffic.
DNS over HTTPS Resolution Diagram
DNS over HTTPS (DoH) Resolution (Source: Qiita)

Traffic Hijacking and Persistence

The adversary achieves a Man-in-the-Middle (MitM) position by injecting iptables DNAT rules. These rules redirect all internal UDP port 53 traffic to an attacker-controlled listener on non-standard port 8090. By utilizing an ipset (e.g., evil_fix), they can selectively hijack traffic destined for specific high-value domains, such as security vendor update sites or software repositories.

For redundancy, a secondary backdoor, client_rc_start, is deployed alongside the primary implant. This ensures that even if router.elf is purged, the actor can re-establish access and re-apply persistence mechanisms.

Endpoint Escalation: Cobalt Strike Operations

Once the perimeter is secured, the attackers deploy a cracked Cobalt Strike 4.4 Beacon on Windows systems using DLL sideloading. A malicious version.dll is loaded by legitimate-looking processes like CrashReport.exe located in the %allusersprofile% directory.

The Windows Beacon is architecturally synchronized with the router implant. Both use the same C2 URI patterns (/api/v1/get and /api/v1/post) and share similar HTTP header structures, including Mandarin-language preferences (Accept-Language: zh-CN). This shared infrastructure backbone confirms that a single operator is managing the complete kill chain, from the edge router to the internal endpoint.

Indicators of Compromise (IOCs)

C2 Domains:

Domain Usage
contextlayerrun[.]com Router implant C2
specialclouds[.]com CS Beacon C2
specialclouds[.]top CS Beacon C2
namefilecode[.]com CS Beacon C2
valuecode[.]top Associated C2
windowsweatherkb[.]top Associated C2
function.windowsoftmessages[.]com Associated C2
perfectgo[.]top Associated C2
safelyhome[.]top Associated C2
discovercoded[.]com Associated C2

File Indicators

Filename MD5 / SHA256 Description
router.elf 6401cdc783b4afcbcc294954b4cc5dd2 Linux router RAT (Primary)
router.elf 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae SHA256 hash
client_rc_start 92ED4D259940D4294190E60ADD5CC587 Secondary router backdoor
version.dll 20C196FD5CF9A4845D048006321A52B8 CS Beacon DLL sideload payload

Note: Analysts are advised to re-fang these indicators only within secure environments.

Related Articles

Back to top button
PeWRtPV yZVbU MDkA