Researchers have observed a new cluster of malicious cyber activity targeting telecommunication service providers in Central Asia. The activity is linked with a Chinese cyberespionage group Moshen Dragon.
Moshen Dragon
Sentinel Labs disclosed that the threat actor is skilled and can adjust its approach according to the defenses of targeted victims.
- At present, the infection vector is not known, however, the report mentioned abuse of antivirus solutions, which includes products from Bitdefender, Symantec, McAfee, Kaspersky, and TrendMicro.
- These AV products have high-level privileges on Windows OS, and therefore, side-loading a malicious DLL on their process allows the execution of code on systems with few restrictions and may avoid detection.
Purpose of the attack
The attackers are using this method to deploy Impacket, a Python kit for lateral movement and remote code execution using Windows Management instrumentation (WMI).
- They are mostly attempting to steal credentials to move laterally, sideload malicious Windows DLLs into antivirus products, and steal data from compromised systems.
- Further, Impacket helps with credential-stealing, using an open-source tool to capture information about password change on a domain and writes them to a file.
Additional insights
The attackers have used the LSA notification package to harvest credentials. Moreover, access to neighboring systems allows them to drop a passive loader called GUNTERS.
- The loader uses a WinDivert packet sniffer to intercept incoming traffic until it gets the string needed for self-decryption and unpacks and executes the final payloads.
- The final payloads are PlugX and ShadowPad variants, two backdoors used by various Chinese APTs. The final aim is to exfiltrate data from most of the infected systems.
- Additionally, the report suggests that the attackers are generating a unique DLL for each of the systems it targets, which is a display of the attacker’s sophistication.
Conclusion
The report sheds light on Moshen Dragon’s TTPs with trial-and-error efforts in an attempt to deploy its malware. Further, the group focuses on lateral movement with the use of Impacket after post-infection. Thus, organizations should have a reliable anti-malware solution with an in-depth defense strategy.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/435e_shutterstock_522985417.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5ccc_shutterstock_331439570.jpg)
