According to researchers at SentinelOne, a Chinese linked threat actor, tracked as Moshen Dragon, has been targeting the telecommunications sector in Central Asia with ShadowPad and PlugX malware. These two types of malware are common among Chinese espionage groups. The researchers state that Moshen Dragon deployed five different malware triads to use DLL search order hijacking to sideload ShadowPad and PlugX variants. Amongst other tools, the group uses an LSA notification package and the GUNTERS passive backdoor. According to SentinelOne, in the recent attack, Moshen Dragon leveraged to sideload ShadowPad and PlugX variants. The attackers focused on the hijacking of programs belonging to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky. The hijacked DLL are used to decrypt and load the final payload, stored in a file residing in the same folder. Researchers discovered an overlap between Moshen Dragon and the RedFoxTrot (Moad Panda) threat group, which has been active since 2014 and focused on espionage along with gathering military intelligence for the Chinese Government targeting surrounding countries.
Analyst Notes
Once the threat group has established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to ensure unlimited access, and focusing on data exfiltration. The analysis of this attack has led to the discovery of several payloads, all of which have been uploaded to VirusTotal.
https://securityaffairs.co/wordpress/130851/apt/moshen-dragon-targets-telcos.html
