Cyber espionage attacks target Asian governments, state-owned companies to primarily gather intelligence

Governments and state-owned organizations in Asian countries are being targeted by a ‘well-established threat actor,’ the Symantec Threat Hunter team, part of Broadcom Software, said. The current campaign appears to focus on government or public entities, including the head of government/Prime Minister’s Office, state-owned government institutions linked to finance, government-owned aerospace and defense companies, and state-owned telecom, IT, and media companies. 

“A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries,” the researchers disclosed in a blog post on Tuesday. “The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.”

“While this group of attackers was previously using ShadowPad, it has since moved on and has been deploying a range of payloads,” the researchers said. “One of the payloads used was a previously unseen, feature-rich information stealer (Infostealer.Logdatter), which appeared to be custom built. Its capabilities included keylogging, taking screenshots, connecting to and querying SQL databases, code injection, downloading files, and stealing clipboard data,” they added.

Some of the other payloads used by the attackers include the PlugX/Korplug trojan, Trochilus RAT, QuasarRAT, Ladon penetration testing framework, Nirsoft Remote Desktop PassView, a Simple Network Management Protocol (SNMP) scanning tool, and Fscan, a publicly available intranet scanning tool.

The Symantec team revealed that a notable feature of these attacks is that the attackers leverage various legitimate software packages in order to load their malware payloads using a technique known as DLL side-loading. “Usually, the attackers used multiple software packages in a single attack. In many cases, old and outdated versions of software are used, including security software, graphics software, and web browsers. In some cases, legitimate system files from the legacy operating system Windows XP are used. The reason for using outdated versions is that most current versions of the software used would have mitigation against side-loading built-in,” they said.

DLL side-loading is a technique that involves attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having installed it themselves in most cases). The legitimate application then loads and executes the payload. Once a malicious DLL is loaded by the attackers, malicious code is executed, which in turn loads a .dat file. This file contains arbitrary shellcode that is used to execute a variety of payloads and associated commands in memory. In some cases, the arbitrary shellcode is encrypted.

The attackers also leverage these legitimate software packages to deploy additional tools, which are used to further aid in lateral movement, Symantec said. These tools include credential dumping tools, a number of network scanning tools (NBTScan, TCPing, FastReverseProxy, and FScan), and the Ladon penetration testing framework.

The Symantec team identified that the current campaign uses a legitimate Bitdefender file to side-load shellcode. “This same file and technique were observed in previous attacks linked to APT41. We have also observed the same keylogging tool deployed in previous attacks against critical infrastructure in South East Asia,” they added.

In March, cybersecurity firm Mandiant identified that the persistent effort of a prolific Chinese state-sponsored espionage group, APT41, allowed them to compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. The group has targeted a zero-day vulnerability in the USAHerds application and the zero-day vulnerability detected in the Log4j vulnerabilities. 

“The use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage actors operating in the region,” the Symantec researchers said. “Although a well-known technique, it must be yielding some success for attackers given its current popularity. Organizations are encouraged to thoroughly audit software running on their networks and monitor for the presence of outliers, such as old, outdated software or packages that are not officially used by the organization,” they added.

Attacks usually unfold once backdoor access is gained, the attackers use Mimikatz and ProcDump to steal credentials. In some cases, the attackers dump credentials via the registry, the Symantec Team said. “They then use network scanning tools to identify other computers of interest, such as those running RDP, which could facilitate lateral movement. They leverage ‘PsExec’ to run old versions of legitimate software, which are then used to load additional malware tools such as off-the-shelf RATS via DLL side-loading on other computers on the networks,” they added.

Furthermore, the attackers also use a number of living-off-the-land tools such as ‘Ntdsutil’ to mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files, the post said. The ‘Dnscmd’ command line tool is also used to enumerate network zone information, it added.

Dnscmd is a Microsoft command-line tool for managing DNS servers. It can be used to script batch files to help automate routine DNS management tasks or to perform routine setup of new DNS servers. The enumzones command is used to list the zones that exist on the specified DNS server. If no filters are specified, a complete list of zones is returned.

Check Point researchers revealed in May details of a targeted campaign that has been using sanctions-related baits to attack at least two Russian defense research institutes, which belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation. 

In April, the Symantec team detailed a Chinese state-backed advanced persistent threat (APT) group, Cicada, attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months. Victims in the Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) across countries around the world, including in Europe, Asia, and North America.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.