According to researchers at SentinelOne, a Chinese linked threat actor, tracked as Moshen Dragon, has been targeting the telecommunications sector in Central Asia with ShadowPad and PlugX malware. These two types of malware are common among Chinese espionage groups. The researchers state that Moshen Dragon deployed five different malware triads to use DLL search order hijacking to sideload ShadowPad and PlugX variants. Amongst other tools, the group uses an LSA notification package and the GUNTERS passive backdoor. According to SentinelOne, in the recent attack, Moshen Dragon leveraged to sideload ShadowPad and PlugX variants. The attackers focused on the hijacking of programs belonging to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky. The hijacked DLL are used to decrypt and load the final payload, stored in a file residing in the same folder. Researchers discovered an overlap between Moshen Dragon and the RedFoxTrot (Moad Panda) threat group, which has been active since 2014 and focused on espionage along with gathering military intelligence for the Chinese Government targeting surrounding countries.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in