China-linked hackers target Asian organizations with Nezha monitoring tool

Researchers found evidence that suspected China-based actors used a monitoring tool called Nezha during compromises of more than 100 victim machines in Taiwan, Japan, South Korea and Hong Kong. 

Incident responders at cybersecurity firm Huntress said they initially came across the campaign while investigating a vulnerable, public-facing web application that was the source of an intrusion at the beginning of August. The threat actor took over a web shell before deploying Nezha — an operation and monitoring tool that allows commands to be run on a web server. 

Huntress said Nezha is marketed as a lightweight, open-source server monitoring and task management tool that is publicly available. 

“Although this has legitimate uses, this case represents a novel finding that it is also being used to facilitate follow-on activity from web intrusions,” Huntress said, noting that they saw hackers use Nezha to eventually deploy malware. 

Jai Minton, principal security operations analyst at Huntress, compared Nezha to a remote that allows you to control your TV.  

“Nezha allows you to control a computer if it is connected, except remotely from anywhere over the internet. The Nezha dashboard is the remote, and the Nezha agent, which can be installed on any computer if you have access to it, is the TV,” Minton said. 

Huntress said Nezha was used in tandem with other families of malware and web shell management tools, such as Ghost RAT and AntSword. 

One of the first clues leading them to attribute the incident to Chinese actors was that, upon accessing the administrative interface of the compromised system, the hacker set the language to simplified Chinese. 

Minton added that even though Huntress stopped short of formally attributing the campaign to a specific Chinese threat actor, the use of Ghost RAT and AntSword was a clue because they both have been used before in activity publicly attributed to Chinese APT groups.

“There's a similar overlap in the Ghost RAT sample we observed to one publicly reported to be used by a China-nexus APT group targeting the Tibetan community,” Minton added. 

“The insight into potential victim geographical locations also showed that Taiwan, Japan, and South Korea were most targeted, which happen to be 3 locations that are particularly involved in political disputes with the People's Republic of China around the extent of their exclusive economic zones in the East China Sea. The speed at which the compromise took place and lack of clear tradecraft seen by financially motivated cybercriminals across a large number of our partner environments leads to the belief that this is more likely to be a politically motivated threat actor.”

Minton said Huntress was unable to determine whether the focus of the attacks was espionage or data theft. 

The Huntress report notes that while there appear to be more than 100 potential victims of the campaign, the number has only increased over time. Huntress found that some entities likely responded quickly to an attack that deployed Nezha given that the first and last seen times for some of the systems with this Nezha agent were only a few hours apart.

“While operational security mistakes were made by the threat actor, their ability to swiftly compromise systems and maintain access for long periods of time using an underreported tool should not be underestimated,” Huntress explained.

“Tools, malware, IP addresses, domains, and victim demographics all appear to point towards a capable China-nexus threat actor who has been underreported on.”