China-based cyberespionage actor seen targeting South America

China-based cyberespionage actor DEV-0147 has been observed compromising diplomatic targets in South America, according to Microsoft’s Security Intelligence team. 

The initiative is “a notable expansion of the group’s data exfiltration operations that traditionally targeted gov’t agencies and think tanks in Asia and Europe,” the team tweeted on Monday. 

DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, and the use of Cobalt Strike — a penetration testing tool — for command and control and data exfiltration, Microsoft wrote in its tweet. 

Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. “Organizations are also strongly advised to enforce MF,” Microsoft noted. 

Chinese threat actors use ShadowPad RAT

DEV-0147 deploys ShadowPad — a RAT (remote access Trojan) — to achieve persistence. It uses QuasarLoader, a Webpack loader, to download and execute additional malware, Microsoft noted. Webpack is a module bundler for JavaScript. Several researchers have associated ShadowPad with other China-based APT actors such as APT23, APT41, Axiom, Dagger Panda, Earth Lusca, Tonto Team, and Wet Panda. 

ShadowPad, also known as PoisonPlug, is a successor to the PlugX RAT deployed by the Chinese government-sponsored Bronze Atlas threat group since at least 2017, according to a Secureworks analysis.

“Analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA),” Secureworks said. 

ShadowPad is decrypted in memory using a custom decryption algorithm. There have been multiple ShadowPad versions based on distinct algorithms that have been identified. 

The RAT extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. 

ShadowPad payloads are deployed to a host — either encrypted within a DLL (dynamic link library) loader or a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking, according to Secureworks. 

In September last year, an attack on an unnamed organization that took advantage of a flaw in software from WSO2 to deliver ShadowPad was observed by the NCC group. WOS2 provides software tools for application development and IAM.

And earlier last year, in June, cybersecurity firm Kaspersky reported having observed a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries such as Pakistan, Afghanistan, and Malaysia. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems.