Cyberthreat group DEV-0147 is deploying the ShadowPad RAT to hit diplomatic targets in South America, expanding from its traditional attack turf in Asia and Europe, Microsoft says. Credit: Getty Images / gorodenkoff China-based cyberespionage actor DEV-0147 has been observed compromising diplomatic targets in South America, according to Microsoft’s Security Intelligence team. The initiative is “a notable expansion of the group’s data exfiltration operations that traditionally targeted gov’t agencies and think tanks in Asia and Europe,” the team tweeted on Monday. DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, and the use of Cobalt Strike — a penetration testing tool — for command and control and data exfiltration, Microsoft wrote in its tweet. Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. “Organizations are also strongly advised to enforce MF,” Microsoft noted. Chinese threat actors use ShadowPad RAT DEV-0147 deploys ShadowPad — a RAT (remote access Trojan) — to achieve persistence. It uses QuasarLoader, a Webpack loader, to download and execute additional malware, Microsoft noted. Webpack is a module bundler for JavaScript. Several researchers have associated ShadowPad with other China-based APT actors such as APT23, APT41, Axiom, Dagger Panda, Earth Lusca, Tonto Team, and Wet Panda. ShadowPad, also known as PoisonPlug, is a successor to the PlugX RAT deployed by the Chinese government-sponsored Bronze Atlas threat group since at least 2017, according to a Secureworks analysis. “Analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA),” Secureworks said. ShadowPad is decrypted in memory using a custom decryption algorithm. There have been multiple ShadowPad versions based on distinct algorithms that have been identified. The RAT extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. ShadowPad payloads are deployed to a host — either encrypted within a DLL (dynamic link library) loader or a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking, according to Secureworks. In September last year, an attack on an unnamed organization that took advantage of a flaw in software from WSO2 to deliver ShadowPad was observed by the NCC group. WOS2 provides software tools for application development and IAM.And earlier last year, in June, cybersecurity firm Kaspersky reported having observed a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries such as Pakistan, Afghanistan, and Malaysia. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems. Related content news Top cybersecurity product news of the week New product and service announcements from Conatix, Tanium, Cisco AppDynamics and Miggo. By CSO staff Apr 19, 2024 79 mins Generative AI Security news analysis Cisco fixes vulnerabilities in Integrated Management Controller Cisco fixes high-risk flaws in the out-of-band management controller of multiple products By Lucian Constantin Apr 18, 2024 4 mins Threat and Vulnerability Management Vulnerabilities news UK law enforcement busts online phishing marketplace The coordinated takedown has infiltrated the fraud service and made several arrests based on data found on the platform. By Shweta Sharma Apr 18, 2024 4 mins Phishing Legal news Consolidation blamed for Change Healthcare ransomware attack United HealthGroup said it has already taken $872 million in dealing with the attack and the disruption it caused. By John Leyden Apr 18, 2024 5 mins Ransomware Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe