Asian Government Entities Targeted with Espionage Activity

Industries: Aerospace, Defense, Education, Technology, Telecommunications | Level: Tactical | Source: Symantec

Researchers from Symantec Threat Hunter Team discovered a new wave of espionage activity targeting various government and state-owned organizations in Asian countries. Specific targets identified include the head of government/Prime Minister’s Office, government institutions linked to finance, government-owned aerospace and defense companies, state-owned telecommunication companies, state-owned IT organizations, and state-owned media companies. The threat actors are identified as those affiliated with the ShadowPad remote access trojan (RAT). The threat actor's post-compromise activity included various techniques to download additional tools, harvest credentials, and move laterally in the environment. As noted by Symantec, "A notable feature of these attacks is that the attackers leverage a wide range of legitimate software packages in order to load their malware payloads using a technique known as DLL side-loading. Ordinarily attackers used multiple software packages in a single attack. In many cases, old and outdated versions of software are used, including security software, graphics software, and web browsers. In some cases, legitimate system files from the legacy operating system Windows XP are used. The reason for the use of outdated versions is most current versions of the software have mitigation against side-loading built-in." As the threat actor's objective is based on espionage, their activity on a network can span long durations. A state-owned education institution attacked in April 2022, observed the threat actors remaining on the compromised network until July 2022. A wide range of custom tools and information stealers were deployed in the attack. Symantec assessed the threat actors to be tied to APT41 and Mustang Panda threat groups based on their objectives and attack arsenal.

‍

‍Anvilogic Scenarios:

• Malicious Executable Leads to Windows Credentials Compromise
• PsExec Activity Leads to Script Execution & New Acct or NTDSUtil

Anvilogic Use Cases:

• Remote Admin Tools
• ProcDump Credential Harvest
• NTDSUtil.exe execution

‍