HomeTechnologyCybersecurityChinese Hackers Use ShadowPad To Target South American Diplomatic Entities

Chinese Hackers Use ShadowPad To Target South American Diplomatic Entities

Published on


Microsoft on Monday blamed a cyber espionage actor based in China for a series of assaults against diplomatic bodies in South America.

The cluster is being tracked by the tech giant’s Security Intelligence team under the new designation DEV-0147, which describes the action as a “extension of the group’s data exfiltration operations that usually targeted government institutions and think tanks in Asia and Europe.”

The threat actor is reported to enter targets and sustain permanent access using well-known hacking tools such as ShadowPad.

According to Secureworks, ShadowPad, also known as PoisonPlug, is a successor to the PlugX remote access trojan that has been frequently used by Chinese hostile collectives with ties to the Ministry of State Security (MSS) and People’s Liberation Army (PLA).

DEV-0147 also employs a webpack loader named QuasarLoader, which enables for the deployment of additional payloads onto compromised servers.

Redmond did not specify how DEV-0147 may get first access to a target environment. However, the most likely routes are phishing and opportunistic targeting of unpatched programmes.

“In South America, DEV-0147’s assaults featured post-exploitation behaviour involving the misuse of on-premises identity infrastructure for recon and lateral movement, as well as the use of Cobalt Strike for command-and-control and data exfiltration,” Microsoft added.

DEV-0147 is far not the only China-based APT that have used ShadowPad in recent months.

NCC Group discovered information of an assault against an undisclosed firm in September 2022 that exploited a serious hole in WSO2 (CVE-2022-29464, CVSS score: 9.8) to drop web shells and trigger an infection chain that led to the distribution of ShadowPad for intelligence collection.

Unidentified threat actors also used ShadowPad to successfully exploit a weak and Internet-connected Microsoft Exchange Server in an assault on an ASEAN member foreign ministry.

Elastic Security Labs has termed the activity REF2924, and it has been noted to share tactical associations with those used by other nation-state groups such as Winnti (aka APT41) and ChamelGang.

“The REF2924 incursion set […] reflects an assault group that appears to be focused on goals that, when viewed across campaigns, fit with a sponsored national strategic interest,” according to the business.

The fact that Chinese hacking groups continue to employ ShadowPad despite the fact that it has been well-documented over the years implies that the approach is working.

Info source – The Hacker News

Latest articles

Malaysia Average Salary Insights: Fresh Graduates and Inflation

In Malaysia, determining the average salary for fresh graduates has become an increasingly pressing...

Just For Thought: Current Social Media Problem

The rise of social media has undoubtedly revolutionized the way we connect with others...

The Negative Impact of Social Media on Geopolitical Movements

The emergence of social media has revolutionized communication worldwide, facilitating the spread of information,...

China’s Investment In Sarawak And Its Implications

China's investment in Sarawak has raised concerns among many locals and environmentalists. The influx...

More like this

Eight Wartime Rules For “Civilian Hackers” And Four State Obligations To Restrain Them

As digital technology changes how militaries conduct war, a concerning trend has emerged in...

The hackers’ new method of demanding ransom payments

Software developer Veeam has found that cybercriminals are getting more ingenious with their ransomware...

China bans Micron chips from being used in important facilities, citing “national security” risks

China has stopped selling some Micron goods after opening an investigation into the American...