A group of threat actors previously associated with the ShadowPad remote access Trojan (RAT) has adopted a new toolset to conduct campaigns against various government and state–owned organizations across multiple Asian countries.
The news comes from the Threat Hunter Team at Symantec, who published a new advisory about the threats earlier today.
According to the document, the attacks have been underway since early 2021 and appear focused on intelligence gathering.
In terms of tools used to conduct the attacks, the threat actors reportedly leveraged several legitimate software packages to load malware payloads utilizing a technique known as DLL side–loading.
The attack method involves threat actors placing a malicious dynamic link library (DLL) in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application, which in turn loads and executes the payload.
For these specific attacks, Symantec said the threat actors often used multiple software packages in a single attack, including outdated versions of security software, graphics software and web browsers, alongside legitimate system files from Windows XP.
“The reason for using outdated versions is that most current versions of the software used would have mitigation against side–loading built–in,” explained the security experts.
Once backdoor access was gained, Symantec said attackers used Mimikatz and ProcDump to steal credentials. They then used various network scanning tools to identify other computers that could facilitate lateral movement.
“The attackers also use a number of living–off–the–land tools such as Ntdsutil to mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files. The Dnscmd command line tool is also used to enumerate network zone information,” reads the advisory.
Symantec has included indicators of compromise in the document to help companies defend their systems from these attacks. They are available in the advisory’s original text.
The hacking campaign is not the only one in recent months targeting Asia. In June, cybersecurity firm Kaspersky uncovered an attack campaign targeting unpatched Microsoft Exchange servers in different Asian countries.