Cyberspies Drop New Infostealer Malware on Govt Networks in Asia
Security researchers have identified new cyber-espionage activity focusing on government entities in Asia, as well as state-owned aerospace and defense firms, telecom companies, and IT organizations.
The threat group behind this activity is a distinct cluster previously associated with the “ShadowPad” RAT (remote access trojan). In recent campaigns, the threat actor deployed a much more diverse toolset.
According to a report by Symantec’s Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing.
The current campaign appears to be almost exclusively focused on government or public entities in Asia, including:
- Head of government/Prime Minister’s office
- Government institutions linked to finance
- Government-owned aerospace and defense companies
- State-owned telecoms companies
- State-owned IT organizations
- State-owned media companies
2022 attack chain
Symantec presents an example of an attack that unfolded in April 2022 to showcase how the espionage group compromises its government targets.
The attack begins with implanting a malicious DLL that is side-loaded by launching the executable of a legitimate application to load a .dat file.
In this case, the legitimate application abused by the hackers was an 11-years-old Bitdefender Crash Handler executable.
The initial .dat payload contains encrypted shellcode that can be leveraged to execute commands or additional payloads directly from memory.
Only three days after establishing backdoor access, the threat actors installed ProcDump to snatch user credentials from the Local Security Authority Server Service (LSASS).
On the same day, the LadonGo penetration testing framework was again side-loaded via DLL hijacking and used for network reconnaissance.
Two weeks after the initial intrusion, the attackers returned to the compromised machine to install Mimikatz, a commonly used credentials stealing tool.
Moreover, the hackers attempted to exploit CVE-2020-1472 (Netlogon) against two computers in the same network to elevate their privileges.
The attackers used PsExec to execute Crash Handler and perform the DLL order hijacking trick to load payloads on additional computers in the network.
A month after the intrusion, the threat actors gained privileges to create new user accounts and mounted a snapshot of the active directory server to access user credentials and log files.
Finally, Symantec observed the deployment of Fscan to attempt exploitation of CVE-2021-26855 (Proxylogon) against Exchange Servers in the compromised network.
New custom info-stealer
One of the tools employed by the attacks in recent campaigns is a previously unknown information stealer (Infostealer.Logdatter), which essentially replaced ShadowPad.
The capabilities of this new tool include:
- Taking screenshots
- Connecting to and querying SQL databases
- Code injection: Reading a file and injecting the contained code into a process
- Downloading files
- Stealing clipboard data
In addition to the info-stealer and all tools mentioned in the previous section, the attackers deployed QuasarRAT, Nirsoft PassView, FastReverseProxy, PlugX, Trochilus RAT, and various PowerSploit scripts.
Symantec’s Threat Hunter team tied this campaign to the Chinese state-sponsored APT41 and Mustang Panda threat groups based on malicious tools previously linked to these espionage outfits.
For instance, the use of the Bitdefender executable for side-loading malicious code has been observed in campaigns attributed to APT41.
Symantec also highlights the use of the same keylogger deployed APT41 attacks against critical infrastructure organizations based in South East Asia.
“There is limited evidence to suggest links to past attacks involving the Korplug/PlugX malware and to attacks by a number of known groups, including Blackfly/Grayfly (APT41), and Mustang Panda,” the researchers said.
Hence, it’s likely that Chinese hackers are behind these espionage campaigns, but the evidence isn’t compelling enough for a confident attribution.
To protect your systems from sophisticated threats, keep all software up to date to prevent exploitation of known vulnerabilities and scrutinize running processes on all computers to identify software implants.
An increasing number of APTs are adopting DLL order hijacking, so any software running on the systems that isn’t part of the organization’s portfolio is a red flag, even if security solutions don’t mark it as malicious.