An unknown threat actor compromised an app used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor commonly associated with Chinese hacking crews.
Targets include Pakistan government entities, public sector banks and telecommunications providers, according to Trend Micro. Infection occurred between mid-February 2022 and September 2022.
The cybersecurity firm said the incident could be the result of a supply chain attack, in which legitimate software used by a target interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems.
The attack chain takes the form of a malicious installer for Electronics Officean app developed by the Pakistan National Information Technology Council (NITB) to help government departments reduce paper usage.
It is currently unclear how the backdoor E-Office installer is delivered to the target. That said, there is no evidence to date that the Pakistan government agency’s building environment has been compromised.
This increases the likelihood that threat actors obtain legitimate installers and tamper with them to include malware, and then lure victims to run trojan versions via social engineering attacks.
“Three files are added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat,” Trend Micro researcher Daniel Lunghi said in a new analysis published today.
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to ETC side loading and is used to sideload mscoree.dll which, in turn, loads mscoree.dll.dat, ShadowPad payload.
Trend Micro says the obfuscation technique it uses to hide DLLs and decrypt late-stage malware is an evolution of an approach Positive Technologies previously exposed in January 2021 in connection with a Chinese cyber espionage campaign conducted by the Winnti group (aka APT41).
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
In addition to ShadowPad, post-exploit activity requires use Mimikatz to remove passwords and credentials from memory.
Attribution to known threat actors has been hampered by a lack of evidence, although the cybersecurity firm says it has found samples of malware such as Deed RAT, which has been linked to threat actor Space Pirates (or Webworm).
“This entire campaign was the result of a very capable threat actor who managed to take and modify a government application installer to compromise at least three sensitive targets,” said Lunghi.
“The fact that the threat actor has access to the latest version of ShadowPad has the potential to link it to the Chinese threat actor network, although we cannot pinpoint any specific group with confidence.”