Privacy Ninja

Chinese Cyber-espionage group Moshen Dragon Targets Asian Telcos

Chinese Cyber-espionage group Moshen Dragon Targets Asian Telcos

Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia.

While this new threat group has some overlaps with “RedFoxtrot” and “Nomad Panda,” including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.

According to a new report by Sentinel Labs, Moshen Dragon is a skilled hacking group with the ability to adjust its approach depending on the defenses they’re facing.

The hackers engage extensively in trying to sideload malicious Windows DLLs into antivirus products, steal credentials to move laterally, and eventually exfiltrate data from infected machines.

Also Read: Top 5 Impact of Data Loss on Business

Moshen Dragon's overal operation chain
Moshen Dragon’s overall operation chain (Sentinel Labs)

Attack details

At this time, the infection vector is unknown, so Sentinel Lab’s report begins with the antivirus abuse, which includes products from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky.

Because these AV products run with high privileges on Windows OS, side-loading a malicious DLL on their process enables the hackers to run code on the machine with few restrictions and potentially evade detection.

Moshen Dragon uses this method to deploy Impacket, a Python kit made to facilitate lateral movement and remote code execution via Windows Management Instrumentation (WMI).

Impacket's lateral movement features
Impacket’s lateral movement features (Sentinel Labs)

Impacket also helps with credential-stealing, incorporating an open-source tool that captures the details of password change evens on a domain and writes them to the “C:\Windows\Temp\Filter.log” file.

Also Read: 6 Ways to Protect Your Business From Employee Data Theft

Password filter used for stealing credentials
Password filter used for stealing credentials (Sentinel Labs)

Having access to neighboring systems, the threat group drops a passive loader on them that confirms it’s on the right machine before activating by comparing the hostname to a hardcoded value.

As Sentinel Labs suggests, this is an indication that the threat actor generates a unique DLL for each of the machines it targets, another indication of their sophistication and diligence.

The loader utilizes the WinDivert packet sniffer to intercept incoming traffic until it gets the string required for self-decryption and then unpacks and launches the payload (SNAC.log or bdch.tmp).

Loader's exported functions
Loader’s exported functions (Sentinel Labs)

According to Sentinel Labs, the payloads include variants of PlugX and ShadowPad, two backdoors that multiple Chinese APTs have used in recent years. The final goal of the threat actor is to exfiltrate data from as many systems as possible.

Loader seen in US govt systems too

An interesting finding is that the loader analyzed by Sentinel Labs this time has been spotted again by Avast researchers in December 2021, who discovered it in a US government system.

This could mean that Moshen Dragon has multiple targets or shifted its focus, or simply that multiple Chinese APTs use the particular loader.

Considering that these groups share many similarities in the final payloads they deploy on the target systems, it wouldn’t be surprising if they used the same or similar loaders too.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us