The threat activity cluster, known as Shadowsilk, is attributed to a new set of attacks targeting government agencies within Central Asia and the Asia-Pacific (APAC).
Nearly 30 victims have been identified, with the intrusion being primarily directed towards data removal, according to Group-IB. The Hacking Group shares overlaps with toolsets and infrastructure, and campaigns run by threat actors called Yolotoreter, Sturgeon Fisher and Silent Links.
Victims of the group’s campaign range from Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan and Turkmenistan.
“The operation is run by a bilingual crew. Russian-speaking developers are led by the Legacy Yorossa Code and Chinese-speaking operators, bringing agile, multi-regional threat profile.” “The exact depth and nature of the cooperation between these two subgroups remains uncertain.”
Yorotrooper was first publicly documented by Cisco Talos in March 2023 and detailed attacks targeting governments, energy and international organizations across Europe since at least June 2022.
Subsequent analyses revealed that the hacking group is likely to be made up of Kazakh individuals based on Kazakh and Russian encylists, and that it appears to be a deliberate effort to avoid national targets.
Then, in early January this year, Seqrite Labs discovered a cyber attack called the enemy that picked up various organizations in Kyrgyzstan and Turkmenistan. They also characterized threat actors as overlapping with Yorotroopers.
Shadowsilk represents the latest evolution of threat actors, leveraging spear phishing email as an initial access vector, dropping password-protected archives, hiding command-and-control (C2) traffic on the Telegram bot to avoid detection, and drop custom loaders that provide additional payloads. Persistence is achieved by modifying the Windows registry and running it automatically after a system restart.
The Threat Actor is also published in Drupal (CVE-2018-7600 and CVE-2018-76020 and WP-Automatic WordPress plugin (CVE-2024-27956) Cobalt Strike.
Additionally, Shadowsilk is incorporated into the Arsenal JRAT and MORF Project Web Panel, which was obtained from the DarkNet Forum to manage infected devices. Another notable aspect is the compromise of legitimate websites to host malicious payloads.
“When you enter the network, Shadowsilk expands a web shell [like ANTSWORD, Behinder, Godzilla, and FinalShell]Sharp-based post-explosion tools, and tunnel utilities like resocks and Chisel move sideways, escalating privileges and escalating siphon data,” the researchers said.
As attacks have been observed to pave the way for Python-based remote access trojans (rats) that can receive commands and remove data to Telegram bots, they can disguise malicious traffic as legitimate messenger activity. The Cobalt Strike and Metasploit modules are used to grab screenshots and webcam photos, but they scan files that match the predefined list of extensions with a custom PowerShell script scan, copy them into a ZIP archive, and then send them to an external server.
The Singaporean company rated that Yolotrooper Group operators are fluent in Russian and are likely engaged in malware development and promoting early access.
However, a series of screenshots capturing one of the attacker’s workstations (images of active keyboard layouts, automatic translation of the Kyrgyzstan government website into Chinese, and a Chinese vulnerability scanner) show the involvement of Chinese operators.
“Recent behavior shows that the group remains very active and new victims have been identified recently in July,” Group-IB said. “Shadowsilk continues to focus on the government sector in Central Asia and the broader APAC region, highlighting the importance of monitoring infrastructure to prevent long-term compromises and data delamination.”
Source link
