Symantec has identified a new advanced persistent threat (APT) actor that appears to be focusing exclusively on targeting critical national infrastructure organizations.
Dubbed Redfly, the threat actor has been observed using the ShadowPad remote access trojan (RAT), a successor of Korplug/PlugX, to maintain presence on a compromised national power grid in Asia for as long as six months.
Discovered earlier this year, the attack is the latest in a series of intrusions targeting critical national infrastructure entities, employing tools and infrastructure that overlap with previous activity attributed to Chinese state-sponsored group APT41 (also tracked as Winnti, Wicked Panda, Blackfly, and Grayfly).
As part of this campaign, Symantec notes, Redfly used a distinct variant of ShadowPad, which relies on the domain websencl[.]com as its command-and-control (C&C) server.
On the infected machines, the trojan masquerades as VMware files and directories, and sets up persistence by registering a service that is launched at Windows startup.
In addition to ShadowPad, Redfly was seen deploying PackerLoader, a tool for loading and executing shellcode, and a keylogger, which was dropped under various names on different machines.
Symantec traced the attack back to February 28, when the APT executed ShadowPad on a single machine. The malware was executed again on May 17, one day after the execution of a suspicious Windows batch file and of PackerLoader.
On May 16, the attackers also modified the permissions for a driver that was later used to create dumps of the file system, and dumped credentials from the Windows registry.
Further suspicious activity was observed on May 19 and May 26, including the execution of PackerLoader and of a legitimate application that the attackers installed themselves, to side-load a malicious DLL.
Several days later, a tool was used to dump credentials from LSASS and a scheduled task was used to execute Oleview, for side-loading and lateral movement.
The attackers returned again on July 27, to install a keylogger on the compromised machine, and on August 3, when they attempted to dump credentials using ProcDump.
Responding to a SecurityWeek inquiry on the motives behind this campaign, Symantec principal intelligence analyst Dick O’Brien said that espionage is the most evident.
“There are multiple possible motives. Our best guess would be intelligence gathering related to the targets, energy usage or acquisition and retention of a disruptive capability should it be required in the future,” he said.
Redfly, Symantec says, does not appear to be engaging in disruptive activities, but the cybersecurity company does not eliminate this possibility entirely.
“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension,” the company notes.
Related: New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
Related: Lancefly APT Targeting Asian Government Organizations for Years
Related: Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software
