Previously, unknown threat activity clusters targeted European organizations, particularly those in the health sector, so they deployed Plugx and its successor Shadowpad, which ultimately led to the deployment of ransomware called Nailaolocker. Ta.
The campaign was codenamed Green Nailao by Orange Cyberdefense Cert and involved the use of new security flaws in the Checkpoint Network Gateway Security Product (CVE-2024-24919, CVSS score: 7.5). . The attack was observed between June and October 2024.
“The campaign relied on hijacking DLL search orders to deploy ShadowPad and Plugx, two implants associated with target invasions in China and Nexus,” the company said in a statement. It was mentioned in a shared technical report.
The initial access provided by the exploitation of vulnerable checkpoint instances is said to have allowed threat actors to obtain user credentials and connect to the VPN using legitimate accounts.
In the next stage, the attacker obtains high privileges by performing network reconnaissance and lateral movements via Remote Desktop Protocol (RDP), then executes a legitimate binary (“ogger.exe”). The malformed dll (“logexts.dll”) will act as a loader for newer versions of ShadowPad malware.
Previous iterations of the attack detected in August 2024 have been found to leverage similar commercials to deliver Plugx. This uses the McAfee executable (“Mcoemcpy.exe”) to sideload “McUtil.dll” using the DLL sideload.
Like Plugx, ShadowPad is a privately sold malware that has been used exclusively by Chinese spyers since at least 2015. The variant identified by the orange cyber-defense certificate is sophisticated obfuscation, along with establishing communication with the remote server to create permanent remote access. and anti-Debug measurements. Victim system.
There is evidence suggesting that the threat actor attempted to remove the data by accessing the file system and creating a ZIP archive. The intrusion culminates in the use of Windows Management Instrumentation (WMI) with three files, a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd (“Usysdiag.exe”), a loader named Nailaoloader ( “sensapi.dll”) and Nailaolocker (“usysdiag.exe.dat”).
Again, the DLL file is sideloaded via “usysdiag.exe” to encrypt the file, add it with a “locked” extension, and request a victim. Make a Bitcoin payment or contact them via your Proton email address.
“Nailaolocker is relatively unslearned, poorly designed and doesn’t seem to be intended to guarantee full encryption,” said Marine Pichon and Alexis Bonnefoi.
“We don’t scan network sharing and we don’t stop services or processes that can prevent the encryption of certain important files. [and] It does not control whether it is being debugged or not. ”
Orange is moderate to threat actors lined up in China due to the use of shadow pad implants, the use of DLL sideloading technology, and the fact that similar ransomware schemes are attributed to another Chinese threat group in bronze colour. I returned to my activities with confidence. Starlight.
Furthermore, to sideload the next stepped payload of “usysdiag.exe” it was previously installed in attacks attached by a China-related intrusion set (aka STAC1248) tracked by Sophos under the name Cluster Alpha was observed.
The exact targets of the spy and ransomware campaign are unknown, but it is suspected that threat actors are trying to make quick profits on their side.
“This could help explain the refined contrast between Shadowpad and Nailaolocker, and Nailaolocker may even try to mimic Shadowpad’s loading techniques,” the researchers said. “Though such campaigns can be opportunistic, they often allow threat groups to access information systems that can be used to carry out other attack operations.”
Source link
