Cyberthreat group DEV-0147 is deploying the ShadowPad RAT to hit diplomatic targets in South America, expanding from its traditional attack turf in Asia and Europe, Microsoft says. Credit: Getty Images / gorodenkoff China-based cyberespionage actor DEV-0147 has been observed compromising diplomatic targets in South America, according to Microsoft’s Security Intelligence team. The initiative is “a notable expansion of the group’s data exfiltration operations that traditionally targeted gov’t agencies and think tanks in Asia and Europe,” the team tweeted on Monday. DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, and the use of Cobalt Strike — a penetration testing tool — for command and control and data exfiltration, Microsoft wrote in its tweet. Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. “Organizations are also strongly advised to enforce MF,” Microsoft noted. Chinese threat actors use ShadowPad RAT DEV-0147 deploys ShadowPad — a RAT (remote access Trojan) — to achieve persistence. It uses QuasarLoader, a Webpack loader, to download and execute additional malware, Microsoft noted. Webpack is a module bundler for JavaScript. Several researchers have associated ShadowPad with other China-based APT actors such as APT23, APT41, Axiom, Dagger Panda, Earth Lusca, Tonto Team, and Wet Panda. ShadowPad, also known as PoisonPlug, is a successor to the PlugX RAT deployed by the Chinese government-sponsored Bronze Atlas threat group since at least 2017, according to a Secureworks analysis. “Analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA),” Secureworks said. ShadowPad is decrypted in memory using a custom decryption algorithm. There have been multiple ShadowPad versions based on distinct algorithms that have been identified. The RAT extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. ShadowPad payloads are deployed to a host — either encrypted within a DLL (dynamic link library) loader or a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking, according to Secureworks. In September last year, an attack on an unnamed organization that took advantage of a flaw in software from WSO2 to deliver ShadowPad was observed by the NCC group. WOS2 provides software tools for application development and IAM.And earlier last year, in June, cybersecurity firm Kaspersky reported having observed a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries such as Pakistan, Afghanistan, and Malaysia. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems. Related content news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities news analysis Windows Recall — a ‘privacy nightmare’? The Windows AI feature announced by Microsoft this week quickly drew criticism for recording regular screenshots of a user’s screen; one security expert compared it to keylogging software. By Matthew Finnegan May 24, 2024 1 min Privacy feature What is spear phishing? Examples, tactics, and techniques Spear phishing is a targeted email attack purporting to be from a trusted sender. Learn how to recognize—and defeat—this type of phishing attack. By Josh Fruhlinger May 24, 2024 14 mins Phishing Cyberattacks Fraud news analysis Emerging ransomware groups on the rise: Who they are, how they operate New and developing ransomware gangs move to fill the void left by the shutdown and law enforcement disruption of big players, with differing tactics and targets. By Lucian Constantin May 24, 2024 6 mins Ransomware Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe