Chinese cyber-espionage group Moshen Dragon targets Asian telcos


Scientists have recognized a new cluster of malicious cyber action tracked as Moshen Dragon, concentrating on telecommunication services companies in Central Asia.

Even though this new threat group has some overlaps with “RedFoxtrot” and “Nomad Panda,” including the use of ShadowPad and PlugX malware variants, there are ample variations in their activity to follow them individually.

According to a new report by Sentinel Labs, Moshen Dragon is a competent hacking group with the capacity to regulate its technique relying on the defenses they’re dealing with.

The hackers engage thoroughly in making an attempt to sideload malicious Windows DLLs into antivirus merchandise, steal credentials to go laterally, and finally exfiltrate data from contaminated equipment.

Moshen Dragon's overal operation chain
Moshen Dragon’s total operation chain (Sentinel Labs)

Assault aspects

At this time, the infection vector is unidentified, so Sentinel Lab’s report commences with the antivirus abuse, which includes solutions from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky.

Mainly because these AV goods run with significant privileges on Home windows OS, side-loading a malicious DLL on their course of action permits the hackers to operate code on the device with couple limitations and likely evade detection.

Moshen Dragon works by using this method to deploy Impacket, a Python kit designed to aid lateral movement and distant code execution via Windows Administration Instrumentation (WMI).

Impacket's lateral movement features
Impacket’s lateral motion functions (Sentinel Labs)

Impacket also can help with credential-thieving, incorporating an open up-resource software that captures the details of password transform evens on a domain and writes them to the “C:WindowsTempFilter.log” file.

Password filter used for stealing credentials
Password filter utilised for stealing credentials (Sentinel Labs)

Getting access to neighboring methods, the threat group drops a passive loader on them that confirms it is really on the ideal machine just before activating by comparing the hostname to a hardcoded value.

As Sentinel Labs implies, this is an indicator that the risk actor generates a one of a kind DLL for just about every of the devices it targets, another indicator of their sophistication and diligence.

The loader utilizes the WinDivert packet sniffer to intercept incoming site visitors until eventually it receives the string demanded for self-decryption and then unpacks and launches the payload (SNAC.log or bdch.tmp).

Loader's exported functions
Loader’s exported features (Sentinel Labs)

In accordance to Sentinel Labs, the payloads include things like variants of PlugX and ShadowPad, two backdoors that multiple Chinese APTs have used in latest a long time. The closing intention of the menace actor is to exfiltrate information from as many programs as probable.

Loader seen in US govt programs as well

An intriguing obtaining is that the loader analyzed by Sentinel Labs this time has been spotted once more by Avast researchers in December 2021, who found out it in a US governing administration technique.

This could necessarily mean that Moshen Dragon has a number of targets or shifted its focus, or basically that a number of Chinese APTs use the distinct loader.

Thinking of that these groups share many similarities in the remaining payloads they deploy on the goal methods, it would not be shocking if they utilised the similar or comparable loaders also.