Redfly group infiltrated an Asian national grid as long as six months

A threat actor tracked as Redfly had infected the systems at a national grid located in an unnamed Asian country for six months starting in January.

Symantec’s Threat Hunter Team discovered that a threat actor called Redfly used the ShadowPad backdoor to compromise a national grid in an Asian country for as long as six months earlier this year.

While ShadowPad is known to be part of the arsenal of multiple China-linked APT groups, the TTPs observed in the attack on the national power grid overlap with previously reported attacks linked to the Chinese APT41 group. 

The APT41 group (aka Winnti, Axiom, Barium, Blackfly, HOODOO) is a China-linked cyberespionage group that has been active since at least 2007.

Once obtained access to the target network, the attackers attempted to steal credentials and compromise multiple computers.

The attack is the latest in a series of intrusions against CNI targets. In May 2023, the U.S., UK, Australian, Canadian, and New Zealand governments issued a joint alert about China-linked threat actors targeting CNI organizations and using living off the land to evade detection. In May, Microsoft warned that Volt Typhoon infiltrated critical infrastructure organizations in the U.S. and Guam without being detected.

According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises.

The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry,

The remote access capability implemented for the ShadowPad backdoor includes a domain generation algorithm (DGA) for C&C servers which changes every month.

Redfly used a distinct variant of the ShadowPad Trojan in the attack detailed by Symantec, the backdoor used the C2 domain websencl[.]com.

The malware copied itself to certain locations on the disk masquerading as VMware files and directories:

• C:\ProgramData\VMware\RawdskCompatibility\virtual\vmrawdsk.exe
• C:\ProgramData\VMware\RawdskCompatibility\virtual\mscoree.dll

The malicious code maintains persistence by creating a service that starts with Windows on boot-up.

Attackers also a Packerloader tool to load and execute shellcode, which is stored in a file in an encrypted form. The tool allows the attackers to deliver and execute arbitrary files or commands on a compromised computer.

Symantec also observed threat actors employing a keylogger that stored the captured keystrokes in the following location.

“The first evidence of intrusion on the targeted network dated from February 28, 2023, when ShadowPad was executed on a single computer. It was executed again on May 17 2023, suggesting that the attackers had maintained a presence in the intervening three months.” reads the report published by Symantec.

The initial compromise took place on February 23, 2023, at the time attackers executed the ShadowPad on a single computer. The backdoor was executed again three months later on May 17 suggesting that the intruders had maintained a presence in the target network.

In the same period, the attackers also run the Packerloader tool on the compromised system to execute arbitrary shellcode. The attackers modified permissions to run a driver file known as dump_diskfs.sys to grant access to all users. The attackers likely run the driver to create file system dumps for later exfiltration.

Several hours later, the attackers executed a suspicious PowerShell command to gather information on the storage devices attached to the system.

“On May 29, the attackers returned and used a renamed version of ProcDump (file name: alg.exe) to dump credentials from LSASS.” continyes the report.

alg.exe -accepteula -ma lsass.exe z1.dmp

“On May 31, a scheduled task is used to execute oleview.exe, mostly likely to perform side-loading and laterally movement. Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems.”

Symantec published Indicators of Compromise (IoCs) for this attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Redfly)