Microsoft on Monday blamed a cyber espionage actor based in China for a series of assaults against diplomatic bodies in South America.
The cluster is being tracked by the tech giant’s Security Intelligence team under the new designation DEV-0147, which describes the action as a “extension of the group’s data exfiltration operations that usually targeted government institutions and think tanks in Asia and Europe.”
The threat actor is reported to enter targets and sustain permanent access using well-known hacking tools such as ShadowPad.
According to Secureworks, ShadowPad, also known as PoisonPlug, is a successor to the PlugX remote access trojan that has been frequently used by Chinese hostile collectives with ties to the Ministry of State Security (MSS) and People’s Liberation Army (PLA).
DEV-0147 also employs a webpack loader named QuasarLoader, which enables for the deployment of additional payloads onto compromised servers.
Redmond did not specify how DEV-0147 may get first access to a target environment. However, the most likely routes are phishing and opportunistic targeting of unpatched programmes.
“In South America, DEV-0147’s assaults featured post-exploitation behaviour involving the misuse of on-premises identity infrastructure for recon and lateral movement, as well as the use of Cobalt Strike for command-and-control and data exfiltration,” Microsoft added.
DEV-0147 is far not the only China-based APT that have used ShadowPad in recent months.
NCC Group discovered information of an assault against an undisclosed firm in September 2022 that exploited a serious hole in WSO2 (CVE-2022-29464, CVSS score: 9.8) to drop web shells and trigger an infection chain that led to the distribution of ShadowPad for intelligence collection.
Unidentified threat actors also used ShadowPad to successfully exploit a weak and Internet-connected Microsoft Exchange Server in an assault on an ASEAN member foreign ministry.
Elastic Security Labs has termed the activity REF2924, and it has been noted to share tactical associations with those used by other nation-state groups such as Winnti (aka APT41) and ChamelGang.
“The REF2924 incursion set […] reflects an assault group that appears to be focused on goals that, when viewed across campaigns, fit with a sponsored national strategic interest,” according to the business.
The fact that Chinese hacking groups continue to employ ShadowPad despite the fact that it has been well-documented over the years implies that the approach is working.
Info source – The Hacker News