Chinese Hackers Targeting South American Diplomatic Entities with ShadowPad

Feb 14, 2023Ravie LakshmananCyber Threat Intelligence

Microsoft on Monday attributed a China-based cyber espionage
actor to a set of attacks targeting diplomatic entities in South
America.

The tech giant’s Security Intelligence team is tracking the
cluster under the emerging moniker DEV-0147,
describing^[1]
the activity as an “expansion of the group’s data exfiltration
operations that traditionally targeted government agencies and
think tanks in Asia and Europe.”

The threat actor is said to use established hacking tools such
as ShadowPad to infiltrate targets and maintain persistent
access.

ShadowPad, also called PoisonPlug, is a successor^[2]
to the PlugX remote access trojan^[3] and has been widely put
to use by Chinese adversarial collectives with links to the
Ministry of State Security (MSS) and People’s Liberation Army
(PLA), per Secureworks.

One of the other malicious payloads put to use by DEV-0147 is a
webpack loader called QuasarLoader, which allows for
deploying additional payloads onto the compromised hosts.

Redmond did not disclose the method DEV-0147 might be using to
gain initial access to a target environment. That said, phishing
and opportunistic targeting of unpatched applications are likely
vectors.

“DEV-0147’s attacks in South America included post-exploitation
activity involving the abuse of on-premises identity infrastructure
for recon and lateral movement, and the use of Cobalt Strike for
command-and-control and data exfiltration,” Microsoft said.

DEV-0147 is far from the only China-based advanced persistent
threat (APT) to leverage ShadowPad in recent months.

In September 2022, NCC Group unearthed^[4]
details of an attack aimed at an unnamed organization that
leveraged a critical flaw in WSO2 (CVE-2022-29464^[5], CVSS score: 9.8) to
drop web shells and activate an infection chain that led to the
delivery of ShadowPad for intelligence gathering.

ShadowPad has also been employed^[6]
by unidentified threat actors in an attack targeting an ASEAN
member foreign ministry through the successful exploitation^[7]
of a vulnerable, and Internet-connected, Microsoft Exchange Server^[8].

The activity, dubbed REF2924 by Elastic Security Labs, has been
observed to share tactical associations with those adopted by other
nation-state groups such as Winnti^[9]
(aka APT41) and ChamelGang^[10].

“The REF2924 intrusion set […] represents an attack group that
appears focused on priorities that, when observed across campaigns,
align with a sponsored national strategic interest,” the company
noted.

The fact that Chinese hacking groups continue to use ShadowPad
despite it being well-documented over the years suggests the
technique is yielding some success.