Threat hunters at Kaspersky have uncovered a series of attacks that targeted organizations across telecoms, transportation, and industrial sectors with the ShadowPad backdoor.
The campaign hit the manufacturing and telecoms industries in Afghanistan and Pakistan, and a logistics and transport organization (a port) in Malaysia.
Kaspersky initially identified the ShadowPad backdoor on industrial control systems (ICS) at a telecoms company in Pakistan, where the attackers targeted engineering computers in building automation systems. The investigation uncovered wide activity on the network, along with additional victim organizations in Pakistan, Afghanistan and Malaysia.
The attack stood out because it’s not common for threat actors to target building automation systems and use them as the point of infiltration. From these devices the attackers can move to more valuable systems.
“Building automation systems are rare targets for advanced threat actors,” said Kirill Kruglov, security expert at Kaspersky ICS CERT. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”
Learn More About Protecting Smart Buildings at SecurityWeek’s 2022 ICS Cybersecurity Conference
Between March and October 2021, the ShadowPad backdoor was deployed on the victim networks along with tools such as the Cobalt Strike framework, Mimikatz, the PlugX backdoor, credential stealers, web shells, and the Nextnet network scanning utility.
According to Kaspersky, the unique set of tactics, techniques, and procedures (TTPs) used in these attacks suggest that a single Chinese-speaking threat actor was likely behind them. The purpose of the campaign appears to be data harvesting, but the security researchers are not certain.
An exploit for a vulnerability in Microsoft Exchange (CVE-2021-26855) was leveraged for initial access in at least some of the attacks. Multiple threat actors started exploiting the vulnerability immediately after it was reported publicly in March 2021.
On the compromised systems, the ShadowPad backdoor was deployed as mscoree.dll and was executed by the legitimate application AppLaunch.exe, which was placed in the same folder with ShadowPad. The attackers created a scheduled task to run AppLaunch.exe.
In October 2021, the attacker switched to a new version of the malware and a new execution scheme, relying on DLL hijacking instead. Kaspersky’s researchers identified a total of 25 unique modifications.
On some computers within the target organizations, the researchers also identified commands that had been executed remotely via the command line interface. Initially, the attackers executed the commands manually, but then switched to deploying scripts that contained the same sequence of commands.
The attackers used these commands to collect information about the users on the compromised machines, collect network connection details, copy files from the desktop to the Recycle Bin folder, check available internet services, mount a network drive, save a registry key containing NTLM hashes to disk, launch Mimikaz, archive harvested files, and to scan hosts on the network.
The threat actor stole domain authentication credentials from at least one account at each of the targeted organizations, and used these credentials to move laterally on the network. Kaspersky also discovered that the attackers used command and control (C&C) domains hosted on rented dedicated Choopa servers.
“We believe with a high degree of confidence that a Chinese-speaking threat actor is behind the activity described in this report. There are some minor references to HAFNUIM, a Chinese-speaking threat actor, but they are not sufficient to speak of HAFNUM’s involvement […] with a high degree of confidence,” Kaspersky notes.
Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage
Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution
Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant