China-linked Moshen Dragon abuses security software to sideload malware

A China-linked APT group, tracked as Moshen Dragon, is exploiting antivirus products to target the telecom sector in Asia.

A China-linked APT group, tracked as Moshen Dragon, has been observed targeting the telecommunication sector in Central Asia with ShadowPad and PlugX malware, SentinelOne warns.

Both PlugX and ShadowPad malware are very common among China-linked cyberespionage groups.

Experts observed overlap between the TTPs of the Moshen Dragon group with the ones of the Chinese Nomad Panda (aka RedFoxtrot).

RedFoxtrot has been active since at least 2014 and focused on gathering military intelligence from neighboring countries, it is suspected to work under the PLA China-linked Unit 69010.

The researchers state that Moshen Dragon deployed five different malware triads to use DLL search order hijacking to sideload ShadowPad and PlugX variants. The cyperespionage group also uses additional tools, including an LSA notification package and the GUNTERS passive backdoor.

“SentinelLabs recently uncovered a cluster of activity targeting the telecommunication sector in Central Asia, utilizing tools and TTPs commonly associated with Chinese APT actors. The threat actor systematically utilized software distributed by security vendors to sideload ShadowPad and PlugX variants.” reads the analysis published by SentinelOne.

In recent attacks spotted by SentinelOne, Moshen Dragon leveraged to sideload ShadowPad and PlugX variants. The attackers focused on the hijacking of programs belonging to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky.

The hijacked DLL are used to decrypt and load the final payload, stored in a file residing in the same folder.

“This combination is recognized as a sideloading triad, a technique commonly associated with Lucky Mouse.” continues the company. “The way the payloads were deployed, as well as other actions within target networks, suggest the threat actor uses IMPACKET for lateral movement. Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.”

The analysis of the Moshen Dragon’s activity led to the discovery of several payloads uploaded to VirusTotal, some of which were the ‘PlugX Talisman variant’.

SentinelOne detailed lateral movements, credential harvesting, and data exfiltration.

“TTPs observed during an unusual engagement that forced the threat actor to conduct multiple phases of trial-and-error to attempt to deploy their malware.” concludes the report.”Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]