Government and state organizations in a number of Asian countries have been targeted by a particular group of espionage hackers as part of an intelligence-gathering mission that has been underway since early 2021.
“A notable feature of these attacks is that the attackers used a wide range of legitimate software packages to load their malware payloads using a technique known as DLL sideloading,” said the Symantec Threat Hunter team, part of Broadcom Software. . a report shared with The Hacker News.
The campaign is said to be aimed exclusively at government institutions related to finance, aerospace and defence, as well as state media, IT and telecom firms.
Dynamic-link library (DLL) sideloading is a popular cyberattack method that exploits the way Microsoft Windows applications handle DLL files. In these intrusions, a maliciously forged DLL is placed in the Windows Side-by-Side (WinSxS) directory so that the operating system loads it instead of the legitimate file.
Attacks involve using old and outdated versions of security solutions, graphics software and web browsers that lack mitigations for DLL sideloading, using them as a conduit to load arbitrary crafted shellcode to run additional loads.
Additionally, the software packages also double as a tool to provide tools to facilitate credential theft and lateral movement across the compromised network.
“[The threat actor] used PsExec to run older versions of legitimate software, which were then used to upload additional malware tools, such as Remote Access Trojans (RATS) via DLL sideloading to other computers on networks,” the researchers noted .
In one of the attacks against a government-owned organization in the education sector in Asia, it lasted from April to July 2022, during which the adversary accessed machines hosting databases and emails, before accessing the domain controller.
The hack also used an 11-year-old version of Bitdefender Crash Handler (“javac.exe”) to launch a rebranded version of Mimikatz (“calc.exe”), an open-source Golang penetration testing framework called LadonGo , and other custom payloads on multiple hosts.
One of them is a previously undocumented, feature-rich information stealer called Logdatter, which is capable of logging keystrokes, capturing screenshots, connecting to and querying SQL databases, downloading files and steal clipboard data.
Also leveraged in the attack is a publicly available intranet scanning tool called Fscan to perform exploit attempts exploiting ProxyLogon Microsoft Exchange Server vulnerabilities.
The identity of the threat group is unclear, although it is said to have used ShadowPad in previous campaigns, a modular backdoor that was created as a successor to PlugX (aka Korplug) and shared among many Chinese threat actors.
Symantec said it has limited evidence linking previous threat actor attacks involving the PlugX malware to other Chinese hacking groups such as APT41 (aka Wicked Panda) and Mustang Panda. Additionally, the use of a legitimate Bitdefender file to load side code has been observed in previous attacks attributed to APT41.
“The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region,” the researchers said. “Although a known technique, it must be giving some success to attackers given its current popularity.”
