{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/softether/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Flax Typhoon","Ethereal Panda"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SoftEther VPN","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["flax-typhoon","defense-evasion","lateral-movement","vpn","process-masquerading"],"_cs_type":"threat","_cs_vendors":["SoftEther","Microsoft","Splunk"],"content_html":"\u003cp\u003eThe Flax Typhoon group has been observed using SoftEther VPN software to hide their network activity after gaining access to Taiwanese organizations. This activity, observed as of August 2023, involves renaming the SoftEther VPN client executable to masquerade as legitimate Windows processes, specifically \u003ccode\u003econhost.exe\u003c/code\u003e and \u003ccode\u003edllhost.exe\u003c/code\u003e. By doing so, they attempt to blend in with normal system activity and evade detection. The group\u0026rsquo;s activity highlights a trend of leveraging legitimate tools for malicious purposes. This allows them to maintain a low profile and persist within compromised networks for extended periods. Defenders should be aware of this tactic and implement detections to identify SoftEther VPN processes running under unexpected names.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a Taiwanese organization through unknown means.\u003c/li\u003e\n\u003cli\u003eDeployment of SoftEther VPN client onto the compromised system.\u003c/li\u003e\n\u003cli\u003eRenaming of the SoftEther VPN client executable to \u003ccode\u003econhost.exe\u003c/code\u003e or \u003ccode\u003edllhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExecution of the renamed SoftEther VPN client to establish a VPN connection.\u003c/li\u003e\n\u003cli\u003eNetwork traffic is routed through the SoftEther VPN, masking the origin of malicious activity.\u003c/li\u003e\n\u003cli\u003eLateral movement within the network using the VPN connection for obfuscation.\u003c/li\u003e\n\u003cli\u003eData exfiltration or other malicious activities, further concealed by the VPN.\u003c/li\u003e\n\u003cli\u003eMaintaining persistence by ensuring the renamed VPN client automatically starts on system reboot, providing continuous obfuscation for their activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of this technique allows the Flax Typhoon group to operate within compromised networks with reduced visibility. By masquerading the VPN client as legitimate processes, they make it more difficult for defenders to identify and respond to malicious activity. This can lead to prolonged periods of undetected data theft, system compromise, and other harmful outcomes. While the exact number of victims is unknown, the targeting of Taiwanese organizations suggests a focused campaign with potentially significant impact on national security and economic interests.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect SoftEther VPN binaries running under the names \u003ccode\u003econhost.exe\u003c/code\u003e or \u003ccode\u003edllhost.exe\u003c/code\u003e in your SIEM (see rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003econhost.exe\u003c/code\u003e or \u003ccode\u003edllhost.exe\u003c/code\u003e processes with a company name containing \u0026ldquo;SoftEther\u0026rdquo; or an original filename matching \u0026ldquo;vpnbridge*.exe\u0026rdquo; (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Event ID 1 in Sysmon) for unexpected executions of renamed binaries.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for outbound traffic originating from \u003ccode\u003econhost.exe\u003c/code\u003e or \u003ccode\u003edllhost.exe\u003c/code\u003e to external VPN servers, potentially indicating masqueraded SoftEther VPN activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-flax-typhoon-softether/","summary":"The Flax Typhoon group uses SoftEther VPN, masquerading the VPN client as legitimate Windows binaries like conhost.exe and dllhost.exe, to obfuscate their network activity within compromised Taiwanese organizations.","title":"Flax Typhoon Masquerading SoftEther VPN as Legitimate Windows Binaries","url":"https://feed.craftedsignal.io/briefs/2024-01-flax-typhoon-softether/"}],"language":"en","title":"CraftedSignal Threat Feed — SoftEther","version":"https://jsonfeed.org/version/1.1"}