- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Hackers Deploy Shadowpad Backdoor and Target Industrial Control Systems in Asia
Russian cybersecurity firm Kaspersky uncovered an attack campaign targeting unpatched Microsoft Exchange servers in different Asian countries.
According to an advisory released by the company on Monday, once they gained initial access via the above vulnerabilities, the threat actors deployed the ShadowPad malware on the industrial control systems (ICS) of telecommunications companies in Pakistan and Afghanistan and a logistics and a transport organization in Malaysia.
Kaspersky said it first spotted the threat in October 2021, with the hackers exploiting the CVE-2021-26855 vulnerability in Microsoft Exchange. However, signs of the attacks on affected systems seem to date back as far as March 2021.
“During the investigation, researchers uncovered larger-scale activity by the threat actor in the network of the telecommunications company and also identified other victims of the campaign,” reads the advisory.
Throughout the attack campaign, the ShadowPad backdoor was reportedly downloaded to victim computers as the mscoree.dll file, which was, in turn, launched by a legitimate executable file named AppLaunch.exe.
Attackers would then launch ShadowPad using DLL hijacking in OleView, a legitimate OLE-COM object viewing application. Once they gained the initial foothold into the system, the threat actors would send commands manually, then automatically.
Additional tools used by the hackers during these cyber-attacks reportedly include the CobaltStrike framework, the PlugX backdoor and various BAT files. A complete list is available in the original text of the advisory.
In terms of attribution, Kaspersky said the newly identified attacks on a variety of organizations had an almost totally unique set of tactics, techniques and procedures (TTP).
“The attackers’ TTP enabled us to link these attacks to a Chinese-speaking threat actor, and we observed victims located in different regions. This means that the actor we have identified may have broader geographical interests and we could expect more victims to be discovered in different countries in the future.”
At the time of writing, however, the antivirus company said they could not be sure of the ultimate goal of the attacker, but they think it may be data harvesting.
“We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries.”
