Microsoft announced Monday that China-based cyber espionage actors have been implicated in a series of attacks targeting diplomatic offices in South America.
Tech giant’s security intelligence team tracks clusters under emerging moniker DEV-0147, Description The operation was described as “an expansion of the group’s data exfiltration operations, which have traditionally targeted government agencies and think tanks in Asia and Europe.”
Threat actors are said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access.
According to Secureworks, ShadowPad, also known as PoisonPlug, is the successor to the PlugX remote access Trojan and is widely used by Chinese hostile groups with ties to the Ministry of State Security (MSS) and the People’s Liberation Army (PLA).
One of the other malicious tools utilized by DEV-0147 is called the Webpack loader. quasar loaderwhich allows you to deploy additional payloads on compromised hosts.
Redmond does not disclose any methods DEV-0147 may be using to gain initial access to the target environment. However, phishing and opportunistic targets for unpatched applications are likely vectors.
“DEV-0147 attacks in South America included post-exploitation activities, including exploitation of on-premises identity infrastructure for reconnaissance and lateral movement, and use of Cobalt Strike for command and control and data exfiltration. ,” said Microsoft.
DEV-0147 is not the only China-based Advanced Persistent Threat (APT) using ShadowPad in recent months.
In September 2022, the NCC group launched an attack targeting an unnamed organization that exploited a critical WSO2 flaw (CVE-2022-29464, CVSS score: 9.8) to drop a web shell and activate the infection chain. clarified the details. A shadow pad for gathering information.
ShadowPad has been used by unidentified threat actors in attacks targeting foreign ministries in ASEAN member states by successfully exploiting vulnerable internet-facing Microsoft Exchange Servers.
Named REF2924 by Elastic Security Labs, this operation has been observed to share tactical relevance with those employed by other nation-state groups such as Winnti (aka APT41) and ChamelGang.
“REF2924 Intrusion Set […] When viewed across campaigns, it represents a threat group that appears to be focused on priorities consistent with the strategic interests of the nation served by the sponsor,” the company said.
The fact that Chinese hacking groups continue to use ShadowPad despite being well-documented over the years suggests that the technology has had some success.
