Threat actors associated with the ShadowPad remote access Trojan have implemented a new toolset to assist its campaigns. The group is targeting various government and state-owned organizations spanning multiple Asian countries, according to Symantec. Symantec released an advisory regarding the threats earlier this week. In the report, the security firm states that it is likely that the attacks have been occurring since early 2021. The focus of the campaign appears to be intelligence gathering. The threat actors have leveraged legitimate software packages to load malware payloads in the past, a technique referred to as DLL side-loading.
The attack method leveraged by ShadowPad consists of placing a malicious dynamic link library in a legitimate DLL directory. The attacker runs the legitimate application, which then executes the previously-dropped payload. Symantec stated that these types of attacks are often associated with multiple software packages, such as graphics software, web browsers, and outdated versions of security software. Most current versions of the software used would possess mitigation against this type of attack, hence why the attackers target older versions. The group then uses Mimikatz and ProcDump to steal user credentials and network scanning tools to identify other devices on the network that could facilitate lateral movement.
Read More: ShadowPad-Associated Hackers Targeted Asian Governments