A specialized gang of espionage hackers has been focusing on government and state-owned enterprises in many Asian nations as part of an intelligence collecting operation since the beginning of 2021.
“A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as DLL side-loading,” the Symantec Threat Hunter team, part of Broadcom Software, said in a report.
The effort is reportedly targeted solely at state-owned media, IT, telecom companies, and government organizations involved in banking, aerospace, and the military. A cyberattack technique that takes advantage of how Microsoft Windows applications handle DLL files is called dynamic-link library (DLL) side-loading. In these attacks, a malicious DLL spoofing a valid one is placed in the Windows Side-by-Side (WinSxS) directory so that the operating system loads it rather than the legitimate one.
In order to load arbitrary shellcode intended to execute further payloads, the assaults take advantage of antiquated and outdated security tools, graphics programs, and web browsers that are likely to lack mitigations for DLL side-loading. Additionally, the software packages serve as a vehicle for distributing instruments that make credential theft and lateral network movement easier.
“[The threat actor] leveraged PsExec to run old versions of legitimate software which were then used to load additional malware tools such as off-the-shelf remote access Trojans (RATS) via DLL side-loading on other computers on the networks,” noted the researchers.
A government-owned company in the Asian education sector was the target of one attack that lasted from April to July 2022. Before obtaining the domain controller, the attacker gained access to workstations storing databases and emails. A renamed version of Mimikatz dubbed “calc.exe,” an open source Golang penetration testing framework called LadonGo, as well as additional customized payloads were all launched on various hosts by the incursion using an 11-year-old version of Bitdefender Crash Handler (“javac.exe”) as well.
One of them is a feature-rich, previously undocumented information thief that can download files, log keystrokes, take screenshots, connect to and query SQL databases, and steal clipboard data. A publicly accessible intranet scanning application called Fscan is also used in the assault to conduct exploit attempts abusing the ProxyLogon Microsoft Exchange Server vulnerabilities.
The threat group’s identity is unknown, although it is said that it has previously engaged in campaigns using ShadowPad, a modular backdoor that many Chinese threat actors have adopted as a replacement for PlugX (also known as Korplug). Limited evidence, according to Symantec, links past attacks by the threat actor using the PlugX malware to other Chinese hacker organizations, including APT41 (also known as Wicked Panda) and Mustang Panda. Furthermore, past APT41-attributed attacks have been seen to sideload shellcode using a valid Bitdefender file.