A team of danger actors formerly associated with the ShadowPad remote obtain Trojan (RAT) has adopted a new toolset to perform campaigns against various authorities and state–owned businesses throughout several Asian nations.
The news comes from the Threat Hunter Team at Symantec, who posted a new advisory about the threats previously nowadays.
According to the document, the attacks have been underway due to the fact early 2021 and appear centered on intelligence accumulating.
In terms of instruments utilized to perform the attacks, the threat actors reportedly leveraged quite a few reputable program offers to load malware payloads employing a technique recognized as DLL side–loading.
The attack approach consists of danger actors placing a malicious dynamic backlink library (DLL) in a listing in which a legit DLL is predicted to be uncovered. The attacker then operates the authentic software, which in transform loads and executes the payload.
For these precise attacks, Symantec reported the risk actors often applied multiple software packages in a solitary attack, together with out-of-date versions of security computer software, graphics software and web browsers, together with legit process documents from Windows XP.
“The explanation for utilizing outdated versions is that most current variations of the software package applied would have mitigation versus side–loading built–in,” spelled out the security professionals.
When backdoor access was received, Symantec explained attackers utilised Mimikatz and ProcDump to steal qualifications. They then employed a variety of network scanning instruments to recognize other computers that could facilitate lateral movement.
“The attackers also use a quantity of living–off–the–land instruments these kinds of as Ntdsutil to mount snapshots of Active Directory servers in get to achieve accessibility to Lively Listing databases and log data files. The Dnscmd command line software is also utilised to enumerate network zone information,” reads the advisory.
Symantec has involved indicators of compromise in the doc to help providers protect their methods from these attacks. They are available in the advisory’s original textual content.
The hacking marketing campaign is not the only 1 in current months concentrating on Asia. In June, cybersecurity agency Kaspersky uncovered an attack marketing campaign focusing on unpatched Microsoft Exchange servers in various Asian international locations.
Some areas of this posting are sourced from: