On Monday, Kaspersky’s ICS CERT researchers issued a report on Advanced Persistent Threat (APT) activity attacking organizations in Afghanistan, Pakistan, and Malaysia. The initial wave of compromises began in March of 2021 and was discovered by the researchers in October of 2021. The companies affected include manufacturing, telecommunications, and logistics and transport industries, and are likely part of an information gathering mission.
Researchers positively identified CVE-2021-26855, a critical Microsoft Exchange Remote Code Execution (RCE) vulnerability published in early March of 2021, as an initial attack vector for some of the companies impacted. From there, the APT downloaded the ShadowPad backdoor disguised as a valid Dynamic-Link Library (DLL) that was then launched via a valid process. In October, the attackers’ Tactics, Techniques, and Procedures (TTPs) altered, and they began leveraging DLL hijacking to maintain the backdoor. In both instances, the Windows Task Scheduler was used as a launching mechanism.
The Kaspersky researchers report that the attackers performed several manual commands before later automating the process. Other tools were also deployed onto the infected systems, such as CobaltStrike, Mimikatz, and a version of the PlugX backdoor. Due to the nature of the TTPs presented and some of the artifacts they uncovered, the research team attributes the attack to an unnamed Chinese APT.