A group of threat actors formerly linked to the ShadowPad remote obtains Trojan (RAT) have switched to a new toolkit. They use the new toolkit to conduct operations against various governments and state-owned companies across many Asian countries.

The Threat Hunter Team at Symantec, which recently published a fresh advisory regarding the dangers that are present today, provided the news.

The dossier claims that the attacks began in early 2021 and seem to be motivated by intelligence gathering.

The threat actors are said to have loaded malware payloads via a method known as DLL side-loading using a variety of credible applications as their tools for carrying out the attacks.

The attack method involves threat actors inserting a malicious dynamic link library (DLL) in a listing where a legitimate DLL is anticipated to be found. The payload is subsequently loaded and executed as a result of the attacker using the legitimate software.

The Assaults

In these specific assaults, according to Symantec, the risk actors frequently used various software programmes in a single attack. This includes outdated versions of security software, graphics software, and web browsers, as well as legitimate Windows XP process documents.

The security experts explained, “The reason for using obsolete versions is that most recent variations of the software package utilized would have mitigation vs side-loading built-in”.

According to Symantec, after backdoor access was granted, attackers used Mimikatz and ProcDump to obtain credentials. Then, they used a variety of network scanning tools to find more systems that would allow for lateral movement.

In order to gain access to Lively Listing databases and log files. The attackers additionally use a variety of off-the-grid tools like Ntdsutil to mount snapshots of Active Directory servers. The advice states that network zone information is also enumerated using the Dnscmd command line programme.

To assist providers in defending their systems from these assaults, Symantec included indicators of compromise in the document. They can be found in the advisory’s original text.

There are other recent marketing campaigns focusing on Asia outside the hacking campaign. An attack campaign targeting unpatched Microsoft Exchange servers in various Asian countries was discovered in June by cybersecurity company Kaspersky.