Chinese group Redfly compromised a nation’s critical network during 6-month ShadowPad campaign
A threat actor called Red fly was linked to the compromise of a national network located in an unnamed Asian country for six months earlier this year using known malware called ShadowPad.
“The attackers successfully stole credentials and compromised multiple computers on the organization’s network,” said the Symantec Threat Hunter team, part of Broadcom. said in a report shared with The Hacker News. “This attack is the latest in a series of espionage intrusions against (critical national infrastructure) targets.”
ShadowPad, also known as PoisonPlug, is a sequel to the PlugX remote access Trojan and is a modular implant capable of dynamically loading additional plugins from a remote server, as needed, to collect data sensitive on breached networks.
He was largely used by a growing list of Link with China nation-state groups since at least 2019 in attacks targeting organizations across various industry sectors.
“ShadowPad is decrypted in memory using a custom decryption algorithm,” Secureworks Counter Threat Unit (CTU) noted in February 2022. “ShadowPad extracts information about the host, executes commands, interacts with the system Registry and deploys new modules to extend functionality.”
The first sign of an attack targeting the Asian entity was reportedly recorded on February 23, 2023, when ShadowPad was executed on a single computer, followed by the opening of the backdoor three months later on May 17.
A tool called Packerloader was also rolled out around the same time. It is used to execute arbitrary shellcode, using it to change the permissions of a driver file called dump_diskfs.sys to grant access to all users, raising the possibility that the driver could have been used to create filesystem dumps for later exfiltration.
The malicious actors were further observed executing PowerShell commands to collect information about storage devices attached to the system, flush Windows registry credentials, while simultaneously clearing security event logs of the machine.
“On May 29, the attackers returned and used a renamed version of ProcDump (file name: alg.exe) to remove LSASS credentials,” Symantec said. “On May 31, a scheduled task is used to run oleview.exe, mainly to perform sideloading and lateral movement.”
It is suspected that Redfly used stolen credentials in order to spread the infection to other machines on the network. After nearly two months of downtime, the adversary re-emerged on the scene to install a keylogger on July 27 and extract credentials from the LSASS and Registry again on August 3.
Symantec said the campaign shares infrastructure and tools that overlap with previously identified activities attributed to the Chinese state-sponsored group called APT41 (aka Winnti), with Redly focusing almost exclusively on targeting critical infrastructure entities.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
However, there is no evidence that the hacking organization has staged any disruptive attacks to date.
“Threat actors who maintain a persistent, long-term presence on a national grid pose a clear risk of attacks aimed at disrupting the supply of electricity and other vital services in other states during times of heightened political tension” , the company said.
The development comes as Microsoft revealed that China-affiliated actors are focusing on AI-generated visual media for use in influence operations targeting the United States, as well as to “conduct harvesting operations intelligence and malware execution against regional governments and industries” in the South China Sea region. since the beginning of the year.
“Raspberry Typhoon (formerly Radium) systematically targets government ministries, military entities and businesses connected to critical infrastructure, particularly telecommunications,” the tech giant said. said. “Since January 2023, Typhoon Raspberry has been particularly persistent.”
Other targets include the US defense industrial base (Circle Typhoon/DEV-0322, Mulberry Typhoon/Manganese and Volt Typhoon/DEV-0391), US critical infrastructure, government entities in Europe and the US (Storm- 0558) and Taiwan (Charcoal Typhoon / Chrome and Linen Typhoon / Storm-0919).
It also follows a report from the Atlantic Council that a Chinese law requires companies operating in the country to disclose security vulnerabilities in their products to the Ministry of Industry and Information Technology (MIIT) allow the country to store vulnerabilities and help hackers “increase operational tempo, success and reach.”
