A previously undocumented Advanced Persistent Threat (APT) group, “NightEagle,” has been found targeting the Chinese government and critical sectors using an unidentified Microsoft Exchange zero-day flaw.
According to a discovery made by RedDrip, the threat intelligence unit of Chinese cybersecurity firm QiAnXin Technology, the threat group has been compromising Microsoft Exchange servers through a sophisticated zero-day exploit chain to steal confidential mailbox data.
“Since 2023, QianXin has been continuously tracking a top APT group which holds an unknown Exchange vulnerability exploitation chain and has a substantial fund to purchase a large amount of network assets, such as VPS servers and domain names,” said RedDrip researchers in a report. “This group has long targeted top companies and institutions in China’s high-tech, chip semiconductor, quantum technology, artificial intelligence, and large language models, military industry, and other fields for cyber attacks.”
Researchers said they named the group NightEagle for its speedy operations and consistent activity during nighttime hours.
Exchange zero-day for IIS hijack
According to the analysis, NighEagle leverages an unidentified zero-day vulnerability in Microsoft Exchange to harvest the machineKey, enabling unauthorized deserialization and basic shell access. This allows the attackers to implant a .NET loader within Microsoft’s Internet Information Service (IIS), enabling remote mailbox access.
“After a comprehensive analysis of the attack activities of the NightEagle group, we found that it possesses a complete set of unknown Exchange vulnerability exploitation chain weapons,” the researchers said. “However, at present, we have only obtained the process in which attackers obtain the key through unknown means and then steal Exchange data.”
The accessed machineKey is crucial in .NET and ASP.NET applications like Exchange, used to sign and validate authentication tokens, cookies, and encrypted data. Once they had the machine key, the attackers sent a crafted payload that, when deserialized by the Exchange server, led to remote code execution (RCE).
The RCE was mostly targeted at accessing and exfiltrating mailbox content, possibly including attachments, internal communications and sensitive business correspondence. Queries sent to Microsoft for comments on the alleged zero-day exploit went unanswered.
Attackers pursued stealthy persistence
Following successful exploitation of the zero-day, attackers deploy a modified Go-based version of Chisel, an open-source SOCKS tunneling tool, scheduling it to run every four hours and establish covert tunnels to their C2 servers.
This allowed them to move in and out of the network whenever they wanted, enabling persistence for over a year, even after initial infections were cleaned up.
“We found through the landing time of the Chisel malware and the attack traffic time saved by the EDR that the attack time was from 9 pm to 6 am Beijing time,” the researchers said. “The working hours of this group were very fixed, and they never worked overtime or stole data after work hours. Based on the time zone analysis, we think the group is from a country in North America.” Domain registration by the group suggested that NightEagle’s targets shift in response to geopolitical developments, such as launching attacks on Chinese sectors using large AI models as the country’s AI markets expand, researchers noted.