A recent wave of cyber espionage activities has been uncovered, with sophisticated Chinese state-aligned threat actors targeting organizations in 15 countries across Europe, the Middle East, and Asia. The campaign, which began in November 2023, relies on exploiting weak passwords and bypassing multi-factor authentication (MFA) measures to infiltrate networks. The sectors primarily affected by these attacks include manufacturing, energy, finance, and education.
The attackers employ a method of attack that involves brute-forcing administrative credentials or bypassing certificate-based MFA to gain access to Check Point firewall VPNs. Once inside a network, the threat actors deploy an updated version of the Shadowpad malware, a known tool used by Chinese advanced persistent threat (APT) groups. This new variant of Shadowpad incorporates advanced anti-analysis techniques, such as using the Process Environment Block (PEB) to check for debugger flags and utilizing CPU cycle measurements to detect sandbox environments. Additionally, the malware communicates with its command-and-control (C2) servers using DNS-over-HTTPS, making it difficult to detect through standard network monitoring.
After establishing a presence within a compromised network, the attackers deploy a custom ransomware strain that encrypts files using AES-256 encryption and RSA-2048 encryption for the AES keys. The encrypted files are marked with a .locked extension, and victims are directed to a Tor payment portal for ransom payment. However, forensic analysis has revealed that no payments have been made, leading to suspicions that the encryption phase may serve as a distraction while the attackers steal sensitive data using tools like CQHashDumpv2 and WmiExec to extract credentials and move laterally within the network.
Evidence has surfaced linking the infrastructure used in these attacks to the Chinese APT group Teleboyi, who have previously been associated with the PlugX malware. This association suggests a potential collaboration between the different threat actors involved in this campaign. In response to these threats, cybersecurity experts at Trend Micro have advised organizations to review their firewall configurations, strengthen MFA practices, and monitor for signs of Shadowpad’s registry-based payload storage. With cybercriminals continuously enhancing their capabilities and techniques, it is crucial for organizations to remain vigilant against evolving threats.
In conclusion, the ongoing cyber espionage campaign orchestrated by Chinese state-aligned threat actors continues to pose a significant risk to organizations worldwide. By understanding the methods used by these attackers and implementing robust cybersecurity measures, businesses can better protect their networks and data from unauthorized access and potential ransomware attacks. Staying informed and proactive in cybersecurity practices is essential in the face of these persistent and evolving threats.