A well-established Chinese hacker group was found targeting Asian governments and state-owned enterprises. These attackers are associated with the ShadowPad RAT. They have started using a new and diverse toolset and have been targeting such entities since at least early 2021.

Diving into details

  • The attacks leverage DLL side-loading against its targets, including government-related financial institutions, Prime Minister’s Office, and government-owned aerospace and defense firms.
  • The other targets include telecom operators, media firms, and IT organizations - all state-owned.
  • The threat actor would use various software packages, including keyloggers, infostealers, and credential dumping tools, for a single attack.
  • The attackers, furthermore, used network scanning tools such as TCPing, NBTScan, FScan, and FastReverseproxy, along with the pentesting framework Ladon.

Connection with the past

  • ShadowPad was built as a successor to the PlugX trojan that was found to be used in another recent campaign.
  • The researchers found limited evidence to connect PlugX with attacks by a handful of threat groups, such as Mustang Panda and APT41.
  • In addition to the above, the current campaign uses a legitimate Bitdefender file to side-load shellcode; a technique observed in earlier attacks by APT41. Moreover, the same keylogger was deployed in previous attacks against South East Asian critical infrastructure.

The bottom line

Although the DLL hijacking technique has been observed in the threat landscape for quite some time, it is still yielding results for cybercriminals. Lately, Chinese hackers have been making quite some noise and destruction worldwide in their attempts to gain government-related intelligence.
Cyware Publisher