Chinese-aligned cyberespionage group Moshen Dragon targets telecommunication sector in Central Asia

SentinelLabs researchers are tracking the activity of a Chinese-aligned cyberespionage hacker group operating in Central Asia, dubbed ‘Moshen Dragon,’ targeting the telecommunication sector. The hackers have systematically utilized software distributed by security vendors to sideload ShadowPad and PlugX variants. Some of the activity partially overlaps with threat groups tracked by other vendors, such as RedFoxtrot and Nomad Panda.

“As the threat actor faced difficulties loading their malware against the SentinelOne agent, we observed an unusual approach of trial-and-error abuse of traditional antivirus products to attempt to sideload malicious DLLs,” according to a SentinelLabs blog post. “Moshen Dragon deployed five different malware triads in an attempt to use DLL search order hijacking to sideload ShadowPad and PlugX variants. Moshen Dragon deploys a variety of additional tools, including an LSA notification package and a passive backdoor known as GUNTERS,” the researchers added.

The researchers also wrote that good detection has an inverse relationship with the visibility of a hacker’s TTPs (tactics, techniques, and procedures). “When part of an infection chain gets detected, it usually means that we don’t get to see what the threat actor intended to deploy or ultimately do. In an unexpected twist, our detection capabilities uncovered an unusual TTP as Moshen Dragon attempted to repeatedly bypass that detection,” they added.

Every time the intended payload was blocked, “we were able to witness the actor’s reliance on a wide variety of legitimate software leveraged to sideload ShadowPad and PlugX variants. Many of these hijacked programs belong to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky,” the researchers wrote.

Moshen Dragon hackers systematically abused security software to perform DLL search order hijacking, the post said. “The hijacked DLL is in turn used to decrypt and load the final payload, stored in a third file residing in the same folder. This combination is recognized as a sideloading triad, a technique commonly associated with Lucky Mouse,” it added.

“The way the payloads were deployed, as well as other actions within target networks, suggest the threat actor uses IMPACKET for lateral movement,” according to the researchers. “Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service. As major portions of the Moshen Dragon activity were identified and blocked, the threat actor consistently deployed new malware, using five different security products to sideload PlugX and ShadowPad variants,” they added.

“During our analysis of Moshen Dragon’s activities, we came across a passive loader previously discussed by Avast as ‘GUNTERS,’” the SentinelLabs researchers wrote. “This backdoor appears to be highly targeted as it performs checks to verify that it is executed on the right machine. Before execution, the malware calculates the hash of the machine hostname and compares it to a hardcoded value, suggesting that the threat actor generates a different DLL for each target machine,” they added.

SentinelLabs came across additional related artifacts overlapping with this threat cluster. “It’s possible that some of those were utilized by Moshen Dragon or a related actor,” they added.

After analyzing these payloads, “we found them to be additional PlugX and ShadowPad variants. SNAC.log payloads have been identified by other researchers as Talisman, which is known to be another variant of PlugX,” according to the researchers. “In addition, the bdch.tmp payload was produced by shellcode with a structure similar to ShadowPad malware but without the initial code obfuscation and decryption logic typically seen in ShadowPad,” they added. 

SentinelLabs said that PlugX and Shadowpad have a well-established history of use among Chinese-speaking threat hackers primarily for espionage activity. “Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products,” they added.

“Here we focused on Moshen Dragon TTPs observed during an unusual engagement that forced the threat actor to conduct multiple phases of trial-and-error to attempt to deploy their malware,” according to the researchers. “Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration,” they added.

Last month, Symantec, a division of Broadcom Software, revealed that the North Korea-linked advanced persistent threat (APT) group, Lazarus, has been conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed ‘Operation Dream Job,’ initially observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus.

The Office of the Director of National Intelligence (ODNI) said in March that both state and non-state hackers ‘threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy.’ It also assesses that China almost certainly can launch cyber-attacks that ‘would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.