Stealthy Flax Typhoon hackers use LOLBins to avoid detection

Microsoft has identified a new hacking group it is now tracking called Flax Typhoon that targets government agencies, education, bio-manufacturing and IT institutions with potential espionage purposes.

The threat actor does not rely much on malware to gain access to and maintain the victim’s network, preferring to use most of the components already available in the operating system, so-called extraterrestrial binaries or LOLBins, and legitimate software.

Flax Typhoon has been in operation since at least mid-2021, primarily targeting organizations in Taiwan, although Microsoft has discovered some victims in Southeast Asia, North America, and Africa.

TTPs have been observed for flax cyclone

In the campaign, which was noted by Microsoft, Flax Typhoon gained initial access by exploiting known vulnerabilities in public servers, including VPN, web, Java and SQL applications.

Hackers took down China Chopper, a small (4KB) but powerful web wrapper that provides remote code execution capabilities.

If necessary, hackers elevate their privileges to the administrator level using the publicly available open-source “Juicy Potato” and “BadPotato” tools that exploit known vulnerabilities to gain higher permissions.

Then, Flax Typhoon creates persistence by turning off Network Level Authentication (NLA) through registry tweaks and exploiting the Windows Sticky Keys accessibility feature to set up an RDP (Remote Desktop Protocol) connection.

“Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut on the login screen, and access the Task Manager with local system privileges.” Microsoft explains.

From there, the actor can boot the terminal, create memory dumps, and take almost any other action on the compromised system.

To circumvent RDP’s RDP connectivity limitations to the internal network, Flax Typhoon installs a legitimate VPN (Virtual Private Network) bridge to maintain the link between the compromised system and its external server.

Hackers download the open source SoftEther VPN client using LOLBins as PowerShell call WebRequest Feasibility, Sirtotelor bitadminand abuse several built-in Windows tools to set a VPN application to automatically launch on system startup.

To reduce the risk of detection, attackers rename it to “conhost.exe” or “dllhost.exe”, thus disguising it as a legitimate component of the Windows operating system.

Furthermore, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to disguise VPN traffic as standard HTTPS traffic.

Microsoft says hackers use Windows Remote Management (WinRM), WMIC, and other LOLBins for lateral traffic.

Researchers say this China-based adversary frequently uses the Mimikatz tool to extract credentials from the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.

Microsoft did not notice Flax Typhoon using the stolen credentials to extract additional data, which makes the main target of the actor unclear at this time.

protection

Microsoft recommends that organizations apply the latest security updates to Internet-exposed endpoints and public servers, and that multi-factor authentication (MFA) be enabled on all accounts.

Furthermore, registry monitoring can help detect modification attempts and unauthorized changes such as those made by Flax Typhoon to disable NLA.

Organizations that suspect a breach from this threat actor need to thoroughly scan their networks, as long residence times allow Flax Typhoon to compromise multiple accounts, altering the system’s configuration for long-term access.