Security researchers have identified new cyber espionage activity focused on government entities in Asia, as well as state-owned aerospace and defense companies, telecommunications companies, and IT organizations.
The threat group behind this activity is a separate cluster previously associated with the “ShadowPad” RAT (Remote Access Trojan). In recent campaigns, the threat actor has deployed a much more diverse set of tools.
According to a report by Symantec Threat Hunter Team plunging into activity, intelligence gathering attacks have been ongoing since at least early 2021 and are still ongoing.
The current campaign appears to be almost exclusively focused on government or public entities in Asia, including:
- Head of Government/Office of the Prime Minister
- Government institutions related to finance
- State-owned aerospace and defense companies
- Public telecommunications companies
- State-owned IT organizations
- State-owned media companies
Chain Attack 2022
Symantec presents an example of an attack that took place in April 2022 to show how the spy group compromises its government targets.
The attack begins with the implantation of a malicious DLL which is loaded by launching the executable of a legitimate application to load a .dat file.
In this case, the legitimate application abused by hackers was an 11-year-old Bitdefender Crash Handler executable.
The initial .dat payload contains encrypted shellcode that can be exploited to execute additional commands or payloads directly from memory.
Just three days after establishing the backdoor access, the threat actors installed ProcDump to snatch user credentials from the Local Security Authority Server Service (LSASS).
On the same day, the LadonGo Penetration Testing Framework was again loaded via DLL hijacking and used for network reconnaissance.
Two weeks after the initial intrusion, the attackers returned to the compromised machine to install Mimikatz, a commonly used credential theft tool.
Additionally, hackers attempted to exploit CVE-2020-1472 (Netlogon) against two computers on the same network to elevate their privileges.
The attackers used PsExec to run Crash Handler and run the DLL command hijack trick to load payloads onto additional computers on the network.
A month after the intrusion, the threat actors obtained privileges to create new user accounts and mounted a snapshot of the Active Directory server to access user credentials and log files.
Finally, Symantec observed the deployment of Fscan in an attempt to exploit CVE-2021-26855 (Proxylogon) against Exchange servers in the compromised network.
New custom infostealer
One of the tools used by attacks in recent campaigns is a previously unknown infostealer (Infostealer.Logdatter), which has essentially replaced ShadowPad.
The capabilities of this new tool include:
- Take screenshots
- Connecting and querying SQL databases
- Code injection: Reading a file and injecting the code contained in a process
- File download
- Steal clipboard data
In addition to Infostealer and all the tools mentioned in the previous section, attackers deployed QuasarRAT, Nirsoft PassView, FastReverseProxy, PlugX, Trochilus RAT and various PowerSploit scripts.
Symantec’s Threat Hunter Team linked this campaign to Chinese state-sponsored threat groups APT41 and Mustang Panda based on malicious tools previously linked to these spy teams.
For example, use of the Bitdefender executable for sideloading malicious code has been observed in campaigns attributed to APT41.
Symantec also highlights the use of the same keylogger as APT41 attacks deployed against critical infrastructure organizations based in Southeast Asia.
“There is limited evidence to suggest links to past attacks involving the Korplug/PlugX malware and to attacks by a number of known groups, including Blackfly/Grayfly (APT41) and Mustang Panda,” the researchers said.
Therefore, it is likely that Chinese hackers are behind these spy campaigns, but the evidence is not compelling enough for a reliable attribution.
To protect your systems against sophisticated threats, keep all software up-to-date to prevent the exploitation of known vulnerabilities and examine the processes running on all computers to identify software implants.
A growing number of APTs are embracing DLL order hijacking, so any software running on systems that is not part of the organization’s portfolio is a red flag, even if security solutions don’t flag it. not as malicious.