Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia.
While this new threat group has some overlaps with “RedFoxtrot” and “Nomad Panda,” including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.
According to a new report by Sentinel Labs, Moshen Dragon is a skilled hacking group with the ability to adjust its approach depending on the defenses they’re facing.
The hackers engage extensively in trying to sideload malicious Windows DLLs into antivirus products, steal credentials to move laterally, and eventually exfiltrate data from infected machines.
Attack details
At this time, the infection vector is unknown, so Sentinel Lab’s report begins with the antivirus abuse, which includes products from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky.
Because these AV products run with high privileges on Windows OS, side-loading a malicious DLL on their process enables the hackers to run code on the machine with few restrictions and potentially evade detection.
Moshen Dragon uses this method to deploy Impacket, a Python kit made to facilitate lateral movement and remote code execution via Windows Management Instrumentation (WMI).
Impacket also helps with credential-stealing, incorporating an open-source tool that captures the details of password change evens on a domain and writes them to the “C:WindowsTempFilter.log” file.
Having access to neighboring systems, the threat group drops a passive loader on them that confirms it’s on the right machine before activating by comparing the hostname to a hardcoded value.
As Sentinel Labs suggests, this is an indication that the threat actor generates a unique DLL for each of the machines it targets, another indication of their sophistication and diligence.
The loader utilizes the WinDivert packet sniffer to intercept incoming traffic until it gets the string required for self-decryption and then unpacks and launches the payload (SNAC.log or bdch.tmp).
According to Sentinel Labs, the payloads include variants of PlugX and ShadowPad, two backdoors that multiple Chinese APTs have used in recent years. The final goal of the threat actor is to exfiltrate data from as many systems as possible.
Loader seen in US govt systems too
An interesting finding is that the loader analyzed by Sentinel Labs this time has been spotted again by Avast researchers in December 2021, who discovered it in a US government system.
This could mean that Moshen Dragon has multiple targets or shifted its focus, or simply that multiple Chinese APTs use the particular loader.
Considering that these groups share many similarities in the final payloads they deploy on the target systems, it wouldn’t be surprising if they used the same or similar loaders too.
Source: www.bleepingcomputer.com