Cyberthreat group DEV-0147 is deploying the ShadowPad RAT to hit diplomatic targets in South America, expanding from its traditional attack turf in Asia and Europe, Microsoft says. Credit: Getty Images / gorodenkoff China-based cyberespionage actor DEV-0147 has been observed compromising diplomatic targets in South America, according to Microsoft’s Security Intelligence team. The initiative is “a notable expansion of the group’s data exfiltration operations that traditionally targeted gov’t agencies and think tanks in Asia and Europe,” the team tweeted on Monday. DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, and the use of Cobalt Strike — a penetration testing tool — for command and control and data exfiltration, Microsoft wrote in its tweet. Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. “Organizations are also strongly advised to enforce MF,” Microsoft noted. Chinese threat actors use ShadowPad RAT DEV-0147 deploys ShadowPad — a RAT (remote access Trojan) — to achieve persistence. It uses QuasarLoader, a Webpack loader, to download and execute additional malware, Microsoft noted. Webpack is a module bundler for JavaScript. Several researchers have associated ShadowPad with other China-based APT actors such as APT23, APT41, Axiom, Dagger Panda, Earth Lusca, Tonto Team, and Wet Panda. ShadowPad, also known as PoisonPlug, is a successor to the PlugX RAT deployed by the Chinese government-sponsored Bronze Atlas threat group since at least 2017, according to a Secureworks analysis. “Analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA),” Secureworks said. ShadowPad is decrypted in memory using a custom decryption algorithm. There have been multiple ShadowPad versions based on distinct algorithms that have been identified. The RAT extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. ShadowPad payloads are deployed to a host — either encrypted within a DLL (dynamic link library) loader or a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking, according to Secureworks. In September last year, an attack on an unnamed organization that took advantage of a flaw in software from WSO2 to deliver ShadowPad was observed by the NCC group. WOS2 provides software tools for application development and IAM.And earlier last year, in June, cybersecurity firm Kaspersky reported having observed a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries such as Pakistan, Afghanistan, and Malaysia. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe