On Monday, Microsoft attributed a China-based cyberespionage actor to a set of attacks targeting diplomatic entities in South America. Its Security Intelligence team is tracking the cluster under the emerging name DEV-0147.
ShadowPad is said to be used by the threat actor to infiltrate targets and maintain persistent access. Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People’s Liberation Army (PLA) have widely used ShadowPad, also known as PoisonPlug, as a successor to PlugX remote access trojan.
DEV-0147 also uses a webpack loader called QuasarLoader, which enables additional payloads to be deployed on compromised hosts.
The method DEV-0147 might use to gain initial access to a target environment was not disclosed. However, phishing and opportunistic targeting of unpatched applications are the most likely options.
DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.
— Microsoft Security Intelligence (@MsftSecIntel) February 13, 2023
In recent months, ShadowPad has been used by more than one China-based advanced persistent threat (APT).
NCC Group discovered details of an attack targeting an unnamed organization in September 2022 that exploited a critical vulnerability in WSO2 (CVE-2022-29464, CVSS score: 9.8) to deliver ShadowPad for intelligence gathering.
An ASEAN member foreign ministry was also attacked with ShadowPad by an unidentified threat actor exploiting a vulnerable Microsoft Exchange Server. According to THN, the activity, dubbed REF2924 by Elastic Security Labs, shares tactical associations with Winnti (aka APT41) and ChamelGang.
Although ShadowPad has been well-documented over the years, Chinese hacking groups continue to use it, which might lead to the conclusion that it is quite a successful technique.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.