The government and state organizations of numerous Asian countries have been targeted by a distinguished group of cyber espionage hackers as part of an intelligence-gathering mission that has been underway since early 2021.
“A notable feature of these attacks is that attackers exploited a wide range of legitimate software packages to load their malware payloads using a technique known as DLL Side Loading“, has stated the Symantec Threat Hunter teampart of Broadcom Software.
Why is Asia being targeted by cyber espionage?
It seems that the campaign is aimed exclusively at government institutions related to finance (in Asian countries, in short), from aerospace and defense, as well as to state-owned media, IT and telecommunications companies.
Dynamic Link Side Loading DDL (DLL) is a popular cyber attack method that takes advantage of the way Microsoft Windows applications handle DLL files.
In these intrusions, a counterfeit malicious DLL is placed in the Windows Side-by-Side (WinSxS) so that the operating system loads it instead of the legitimate file.
Attacks of this type involve the use of old and outdated versions of security solutions, graphics software and web browsers that are destined to have no mitigation for side-loading DLLs, using them as a channel to load arbitrary shellcode designed to run additional payloads.
Additionally, software packages also act as a means of providing tools to facilitate credential theft and lateral movement across the compromised network.
“[Il gruppo hacker] leveraged PsExec to run old versions of legitimate software which were then used to load additional malware tools such as ready-to-use Remote Access Trojans (RATS) via DLL side-loading on other computers on the networks“, The researchers pointed out.
In one of the attacks on a government-owned organization in the education sector in Asia (specific: in the Asian continent, let anyone think that Asia is a single state …) which lasted from April to July 2022, during which the hacker group had access to machines hosting databases and email, before accessing the administration controller.
The intrusion also used an 11-year-old version of Bitdefender Crash Handler (“javac.exe”) to launch a renamed version of Mimikatz (“calc.exe”), an open source Golang penetration testing framework called LadonGoand other custom payloads across multiple hosts.
One of these programs listed is a previously undocumented feature-rich information thief that can record keystrokes, take screenshots, connect (like old dialers) and query SQL databases, download files, and steal clipboard data.
The attack also uses a publicly available intranet scanning tool called Fscan to perform exploit attempts by exploiting vulnerabilities in ProxyLogon Microsoft Exchange Server.
The identity of the hacking group is unclear, although it is said to have used ShadowPad in previous campaigns, a modular backdoor modeled as a successor to PlugX (aka Korplug) and shared by many Chinese cyber attackers.
Symantec experts said they have limited evidence linking the threat actor’s previous attacks involving PlugX malware to other Chinese hacking groups like APT41 (aka Wicked Panda) and Mustang Panda.
Furthermore, the use of a legitimate Bitdefender file to load the shellcode has been observed in previous attacks attributed to APT41.
“Using legitimate applications to facilitate DLL Side Loading seems to be a growing trend among spy attackers [informatico] operating in the region [Asia]“Said the researchers. “Although a well-known technique, it must have some success with attackers given its current popularity“.
But why does this happen against governments and organizations in Asia?
Let’s take an example with a random country in Asia: Japan.
This is linked to the discourse of the importance of updates; it is no coincidence that Japan ended up just a tad bit into chaos for not having updated to others browser other than Internet Explorer.
In the same Asian country, i is still used Floppy disk.
If we add to this that in the world there are myriads of people who do not update software such as antivirus and that they still use Windows 7 (if not XP in more extreme cases), I would say that it is quite easy to imagine the motivation of the institutional IT problems of some Asian countries.
This thing is a vice of many institutions also in Europe, consequently our country is also affected.
In fact, in programs and operating systems that are no longer up to date it is much easier for these old DLL files to be exploited for side-loading DLLs!
In short: keeping up with software updates and technology is not just a geek’s craze (forgive the pun), but it is a way to safeguard your data.
#Asia #Governments #targeted #cyber #espionage