Cybersecurity researchers have revealed details of an advanced persistent threat (APT) group called Silver Dragon that has been linked to cyberattacks targeting organizations in Europe and Southeast Asia since at least mid-2024.
“Silver Dragon gains initial access by exploiting public internet servers and delivering phishing emails containing malicious attachments,” Check Point said in a technical report. “To maintain persistence, the group hijacks legitimate Windows services, allowing the malware process to blend into normal system activity.”
Silver Dragon is believed to operate under the umbrella of APT41. APT41 is the code name assigned to a prolific Chinese hacker group known for targeting the healthcare, communications, high-tech, education, travel services, and media sectors with cyberespionage as early as 2012. It is also believed to potentially carry out financially motivated activities outside of state control.
Silver Dragon attacks primarily target government agencies, and adversaries have been found to use Cobalt Strike beacons to persist on compromised hosts. They are also known to use techniques such as DNS tunneling for command and control (C2) communications to bypass detection.
Check Point said it has identified three different infection chains that result in Cobalt Strike: AppDomain hijacking, service DLLs, and email-based phishing.
“The first two infection chains, AppDomain hijacking and service DLLs, clearly demonstrate operational overlap,” the cybersecurity firm said. “These are both delivered via compressed archives, suggesting their use in post-exploitation scenarios. In some cases, these chains were deployed after the compromise of publicly exposed vulnerable servers.”
Two chains utilize a RAR archive containing a batch script, and the first chain uses it to drop the MonikerLoader. MonikerLoader is a NET-based loader responsible for decrypting and executing the second stage directly in memory. The second stage mimics the behavior of MonikerLoader and acts as a conduit to load the final Cobalt Strike beacon payload.
The service DLL chain, on the other hand, uses a batch script to deliver a shellcode DLL loader called BamboLoader that is registered as a Windows service. A highly obfuscated C++ malware that is used to decrypt and unpack staged shellcode on disk and inject it into legitimate Windows processes such as ‘taskhost.exe’. The binaries targeted for injection are configurable within BamboLoader.
The third infection chain primarily targets Uzbekistan and involves a phishing campaign that uses malicious Windows shortcuts (LNKs) as attachments. The weaponized LNK file is designed to launch PowerShell code via ‘cmd.exe’, leading to the next stage of payload extraction and execution. This contains 4 different files –
Decoy document DLL Legitimate executable file vulnerable to sideloading (“GameHook.exe”) Malicious DLL aka BamboLoader (“graphics-hook-filter64.dll”) Encrypted Cobalt Strike payload (“simhei.dat”)
As part of this campaign, a decoy document is displayed to the victim, while in the background a malicious DLL is sideloaded via GameHook.exe, ultimately launching Cobalt Strike. This attack is also characterized by the deployment of various post-exploitation tools.
SilverScreen is a .NET screen monitoring tool used to capture periodic screenshots of user activity including precise cursor position. SSHcmd is a .NET command line SSH utility that provides remote command execution and file transfer functionality over SSH. GearDoor is a NET backdoor that shares similarities with MonikerLoader and communicates with C2 infrastructure via Google Drive.
Once executed, the backdoor authenticates to an attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information. Interestingly, backdoors utilize different file extensions to indicate the nature of the task they perform on the infected host. The task execution results are captured and uploaded to Drive.
*.png, send the heartbeat file. *.pdf, receives and executes commands, lists directory contents, creates new directories, and deletes all files in the specified directory. The results of the operation are sent to the server in the form of *.db files. *.cab receives and executes commands that collect host information and a list of running processes, enumerate files and directories, run commands via “cmd.exe” or scheduled tasks, upload files to Google Drive, and terminate the implant. Run status is uploaded as a .bak file. *.rar, receives the payload and executes it. If the RAR file is named “wiatrace.bak”, the backdoor treats it as a self-updating package. Results are uploaded as .bak files. *.7z, receives and executes plugins in memory. Results are uploaded as .bak files.
The connection between Silver Dragon and APT41 stems from the overlap in post-exploit installation scripts and tradecraft previously attributed to the latter, as well as the fact that the decryption mechanism used by BamboLoader has been observed in shellcode loaders associated with China-aligned APT operations.
“The group is continually evolving its tools and technology, actively testing and introducing new features across a variety of campaigns,” Check Point said. “The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communications reflects a resource-rich and adaptable threat group.”
Source link
