HomeTechnologyCybersecurityChinese Hackers Use ShadowPad To Target South American Diplomatic Entities

Chinese Hackers Use ShadowPad To Target South American Diplomatic Entities

Published on

spot_img

Microsoft on Monday blamed a cyber espionage actor based in China for a series of assaults against diplomatic bodies in South America.

The cluster is being tracked by the tech giant’s Security Intelligence team under the new designation DEV-0147, which describes the action as a “extension of the group’s data exfiltration operations that usually targeted government institutions and think tanks in Asia and Europe.”

The threat actor is reported to enter targets and sustain permanent access using well-known hacking tools such as ShadowPad.

According to Secureworks, ShadowPad, also known as PoisonPlug, is a successor to the PlugX remote access trojan that has been frequently used by Chinese hostile collectives with ties to the Ministry of State Security (MSS) and People’s Liberation Army (PLA).

DEV-0147 also employs a webpack loader named QuasarLoader, which enables for the deployment of additional payloads onto compromised servers.

Redmond did not specify how DEV-0147 may get first access to a target environment. However, the most likely routes are phishing and opportunistic targeting of unpatched programmes.

“In South America, DEV-0147’s assaults featured post-exploitation behaviour involving the misuse of on-premises identity infrastructure for recon and lateral movement, as well as the use of Cobalt Strike for command-and-control and data exfiltration,” Microsoft added.

DEV-0147 is far not the only China-based APT that have used ShadowPad in recent months.

NCC Group discovered information of an assault against an undisclosed firm in September 2022 that exploited a serious hole in WSO2 (CVE-2022-29464, CVSS score: 9.8) to drop web shells and trigger an infection chain that led to the distribution of ShadowPad for intelligence collection.

Unidentified threat actors also used ShadowPad to successfully exploit a weak and Internet-connected Microsoft Exchange Server in an assault on an ASEAN member foreign ministry.

Elastic Security Labs has termed the activity REF2924, and it has been noted to share tactical associations with those used by other nation-state groups such as Winnti (aka APT41) and ChamelGang.

“The REF2924 incursion set […] reflects an assault group that appears to be focused on goals that, when viewed across campaigns, fit with a sponsored national strategic interest,” according to the business.

The fact that Chinese hacking groups continue to employ ShadowPad despite the fact that it has been well-documented over the years implies that the approach is working.

Info source – The Hacker News

Latest articles

Malaysia’s Death Penalty and Section 302: A Transformative Era

Malaysia's death penalty laws, particularly Section 302 which mandates capital punishment for murder, have...

Fraudulent CrowdStrike Manual Distributes New Infostealer Malware

CrowdStrike has issued a warning regarding a fraudulent recovery manual designed to repair Windows...

Special Flight Launched To Repatriate Malaysians From Bangladesh

The AirAsia flight AK77, deployed to evacuate Malaysians from Bangladesh, safely landed at Hazrat...

Mysterious Chinese Hacking Group ‘Ghostemperor’ Resurfaces After Two Years

A secretive and highly elusive Chinese hacking group known as GhostEmperor, infamous for its...

More like this

Fraudulent CrowdStrike Manual Distributes New Infostealer Malware

CrowdStrike has issued a warning regarding a fraudulent recovery manual designed to repair Windows...

Von Der Leyen Vows To Combat Ransomware Attacks On EU Hospitals

Former European Commission President Ursula von der Leyen has committed to developing a strategy...

GhostEmperor Resurfaces: Chinese Hacking Group Spotted After Two Years

A previously elusive Chinese hacking group known as GhostEmperor has resurfaced after more than...