Cyber espionage campaign targets Asian countries since 2021

A cyber espionage group targets governments and state-owned organizations in multiple Asian countries since early 2021.

Threat actors are targeting government and state-owned organizations in multiple Asian countries as parts of a cyber espionage campaign that remained under the radar since early 2021.

“A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries.” reads an analysis published by Symantec Threat Hunter team, part of Broadcom Software. “The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.”

The attackers employed a broad range of legitimate tools to deliver malware in attacks aimed at government institutions related to finance, aerospace, and defense, as well as state-owned media, IT, and telecom firms.

The attackers used Dynamic-link library (DLL) side-loading to deliver the malicious code. The technique sees threat actors placing a malicious DLL in a directory where a legitimate DLL is expected to be found. Then the attacker runs a legitimate application that loads and executes the malicious payload.

The attackers target old and outdated versions of security solutions, graphics software, and web browsers that lack of mitigations for DLL side-loading attacks.

“Once a malicious DLL is loaded by the attackers, malicious code is executed, which in turn loads a .dat file. This file contains arbitrary shellcode that is used to execute a variety of payloads and associated commands in memory. In some cases, the arbitrary shellcode is encrypted.” continues the report.

The attackers also leverage these legitimate software packages to deploy additional tools (credential dumping tools, network scanning tools such as NBTScan, TCPing, FastReverseProxy, and FScan, and the Ladon penetration testing framework), which are used to perform lateral movement.

Once the attackers have established backdoor access they use Mimikatz and ProcDump to harvest credentials and obtain deeper access to the target network. In some instances, threat actors also dump credentials via the registry.

Experts also observed attackers using PsExec to run old versions of legitimate software to load off-the-shelf RATS.

The cyberspies also use a number of living-off-the-land tools such as Ntdsutil to mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files and the Dnscmd command line tool to enumerate network zone information. 

Experts also shared details about an attack against a government-owned organization in the education sector in Asia. The intrusion lasted from April to July 2022, during which the adversary accessed machines hosting databases and emails, before accessing the domain controller.

The attackers also use of an 11-year-old version of Bitdefender Crash Handler (“javac.exe”) to run a Mimikatz and the Golang penetration testing framework LadonGo.

The experts did not attribute the cyber espionage campaign to a specific threat actor, however, they noticed the use of the ShadowPad backdoor which is commonly used by China-linked APT groups.

“The use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage actors operating in the region. Although a well-known technique, it must be yielding some success for attackers given its current popularity. Organizations are encouraged to thoroughly audit software running on their networks and monitor for the presence of outliers, such as old, outdated software or packages that are not officially used by the organization.” concludes the report that includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]