Researchers have recently revealed that Moshen Dragon is a new cluster of malicious cyber activity that targets telecommunication service providers in Central Asia. While there are some similarities between this new threat organization and “RedFoxtrot” and “Nomad Panda,” such as the employment of ShadowPad and PlugX malware variants, there are enough variances in their behavior to keep track of them individually.
According to recent research by Sentinel Labs, Moshen Dragon is a proficient hacking gang capable of modifying its approach based on the protections they’re up against. The hackers spend a lot of time attempting to sideload malicious Windows DLLs into antivirus programs, steal passwords to move laterally, and exfiltrate data from affected PCs.
Since the infection vector is unclear, Sentinel Lab’s study focuses on antivirus misuse, which includes TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky products. As these antivirus programs operate with elevated capabilities on Windows, sideloading a malicious DLL onto their processes allows hackers to run malware on the computer with minimal constraints and perhaps avoid detection.
Impacket, a Python package designed to permit lateral movement and remote code execution via Windows Management Instrumentation (WMI), is deployed in this way by Moshen Dragon. Impacket also aids credential theft by adding an open-source program that logs the details of password change events on a domain in the “C:\Windows\Temp\Filter.log” file.
Having access to nearby computers, the threat group installs a passive loader that verifies that it is on the correct machine before activating by comparing the hostname to a hardcoded value. Sentinel Labs indicates that the threat actor creates a new DLL for devices it targets, demonstrating their skill and diligence.
The loader intercepts incoming data with the WinDivert packet sniffer until it finds the string necessary for self-decryption, then unpacks and launches the payload (SNAC.log or bdch.tmp). According to Sentinel Labs, the payloads contain PlugX and ShadowPad versions, two backdoors that several Chinese APTs have employed in recent times. The threat actor’s ultimate purpose is to steal data from as many systems as feasible.
One intriguing result is that the loader evaluated by Sentinel Labs this time was detected in a US government system by Avast researchers in December 2021. This might indicate that Moshen Dragon has many targets or has switched its focus, or simply that multiple Chinese APTs use the loader. Given how similar the final payloads these organizations install on target systems are, it wouldn’t be shocking if they employed the same or similar loaders as well.