New China-linked threat cluster OP-512 targets Microsoft IIS servers

As detailed in The Hacker News, a newly identified threat cluster named OP-512 has been observed actively targeting Microsoft Internet Information Services (IIS) servers. ReliaQuest researchers assess with moderate to high confidence that this espionage-focused activity is linked to China, marking it as the fourth such group to focus on IIS servers in the past year.

OP-512 deploys a custom web shell framework consisting of three distinct web shells, designed to provide attackers with remote access while evading detection. The group employs techniques like timestomping, manipulating file timestamps to blend in with legitimate system files. This framework is unique, featuring individually generated deployments, cryptographic access controls, and automated reporting for centralized management. The attackers target legacy IIS servers, such as one running Windows Server 2016 with an outdated .NET Framework. The attack sequence involves dropping a web shell via the server's worker process, which then self-reports its location to an attacker-controlled domain.

OP-512 also attempts privilege escalation to the SYSTEM level using the Potato Suite. The cluster's sophisticated, purpose-built tooling suggests it is designed to bypass defenses tuned for other known China-linked threat groups, highlighting a significant gap for defenders relying on signature-based detection.

Source: The Hacker News