Posted on May 4, 2022 at 7:48 PM

Chinese Sponsored Hackers Discovered Abusing Cybersecurity Products

A recent report reveals that a China-backed cyberespionage group has been discovered launching cyber attacks on the telecommunication sector in Central Asia using the PlugX and ShadowPad malware versions.

Cybersecurity company SentinelOne reported that the threat actor uses the pseudonym “Moshen Dragon” but has tactical overlap with another threat group known as Nomad Panda.

Chinese-backed threat actors have a history of using the ShadowPad and PlugX malware for several espionages in the past. According to SentinalOne’s security researcher Joey Chen, the functionality of the tools is flexible and can be adapted to several hacking needs. They are compiled through shellcode to easily circumvent traditional endpoint protection products.

Other Variants Are Being Deployed

The ShadowPad malware has been termed a “masterpiece of privately sold malware in Chinese espionage.” It became an upgrade to PlugX in 2015, although the latter is still frequently used. The PlugX variants have also been seen occasionally in the wild in different hacking campaigns involving Chinese threat actors.

The malware is known to be deployed by a government-sponsored threat group known as Bronze Alas (also called Winnti, Barium, or APT41). However, since 2017 it has been increasingly used by several other China-linked hackers.

Earlier this year, Secureworks connected Chinese cyberespionage groups to the ShadowPad activity clusters. The group operates with direction from the Chinese People’s Liberation Army and the Ministry of State Security (MSS).

SentinelOne’s latest findings correspond with the previous report from Trellix in March. The report reveals that a RedFoxtrot attack campaign targets defense and telecom sectors in South Asia using a new variant of PlugX malware called Talisman.

The Malware Can Hide In The Target’s Machine For A Long Time

The Moshen Dragon’s TTPs involve using legitimate antivirus software belonging to Symantec, McAfee, Kaspersky, BitDefender, and Trend Micro to sideload Talisman and ShadowPad on affected systems via a technique known as DDL search order hijacking.

Subsequently, the hijacked SLL can be utilized for decrypting and loading the final PlugX or ShadowPad payload within the same folder as that of the antivirus executable. This makes it difficult for security software to trace the malware, ensuring that it stays within the infiltrated system for a long time. The malware achieves persistence by creating a service of a scheduled task.

Apart from the hijacking of the security products, the attackers also use other methods to achieve their aims. They use red team scripts and known hacking tools to facilitate data exfiltration, lateral movement, and credential theft. However, the initial access vector is still not clear.

After establishing a strong foothold on the target, the attacker uses lateral movement by utilizing Impacket within the network. This places a passive backdoor to the victim’s environment and harvests as many credentials as they want to make sure they have unlimited access to the system. The security researchers noted that the exploitation can go on for a very long time since they have concealed the malware to make them very difficult to uncover or spot.

The Malware Abuses Security Products For DLL Sideloading

What makes Moshen Dragon a unique kind of threat different from others is the systematic abuse of the security products for DLL sideloading deployed.  The lateral movement, the threat utilizes Impact, which is a collection of Python classes. It creases the services of scheduled tasks to ensure the persistence of some payloads.

Additionally, Moshen Dragon has used GUNTERS backdoor in some attacks in the past, but it is likely being used as a different DLL on each system.

SentinelOne added that there are some additional variants deployed by the threat actors apart from PlugX and ShadowPad. The researchers say the variants overlap their activities to make them more potent and difficult to detect. However, it’s not clear whether the variants are solely deployed by Moshen Dragon or other threat actors.

In another development, tech giant Google revealed recently that a Chinese-backed hacking group is targeting Russian government agencies. The group is said to be deriving its support from China’s People’s Liberation Army Strategic Support Force (PLA SSF). Google’s Threat Analysis Group (TAG) stated that the group has successfully breached several Russian companies.

Apart from Russia, the threat group has also been discovered targeting government and military organizations in other countries like Kazakhstan, Ukraine, Mongolia, and other close countries Securenetworks also observed Mustang Panda targeting officials of military personnel familiar with the region.