A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker in some cases.
The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a now-patched security flaw in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The attacks were observed between June and October 2024.
“The campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions,” the company said in a technical report shared with The Hacker News.
The initial access afforded by exploitation of vulnerable Check Point instances is said to have allowed the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account.
In the next stage, the attackers carried out network reconnaissance and lateral movement via remote desktop protocol (RDP) to obtain elevated privileges, followed by executing a legitimate binary (“logger.exe”) to sideload a rogue DLL (“logexts.dll”) that then serves as a loader for a new version of the ShadowPad malware.
Previous iterations of the attacks detected in August 2024 have been found to leverage similar tradecraft to deliver PlugX, which also employs DLL side-loading using a McAfee executable (“mcoemcpy.exe”) to sideload “McUtil.dll.”
Like PlugX, ShadowPad is a privately sold malware that’s exclusively used by Chinese espionage actors since at least 2015. The variant identified by Orange Cyberdefense CERT features sophisticated obfuscation and anti-debug measures, alongside establishing communication with a remote server to create persistent remote access to victim systems.
There is evidence to suggest that the threat actors attempted to exfiltrate data by accessing the file system and creating ZIP archives. The intrusions culminate with the use of Windows Management Instrumentation (WMI) to transmit three files, a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd (“usysdiag.exe”), a loader named NailaoLoader (“sensapi.dll”), and NailaoLocker (“usysdiag.exe.dat”).
Once again, the DLL file is sideloaded via “usysdiag.exe” to decrypt and trigger the execution of NailaoLocker, a C++-based ransomware that encrypts files, appends them with a “.locked” extension, and drops a ransom note that demands victims to make a bitcoin payment or contact them at a Proton Mail address.
“NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption,” researchers Marine Pichon and Alexis Bonnefoi said.
“It does not scan network shares, it does not stop services or processes that could prevent the encryption of certain important files, [and] it does not control if it is being debugged.”
Orange has attributed the activity with medium confidence to a Chinese-aligned threat actor owing to the use of the ShadowPad implant, the use of DLL side-loading techniques, and the fact that similar ransomware schemes have been attributed to another Chinese threat group dubbed Bronze Starlight.
What’s more, the use of “usysdiag.exe” to sideload next-stage payloads has been previously observed in attacks mounted by a China-linked intrusion set tracked by Sophos under the name Cluster Alpha (aka STAC1248).
While the exact goals of the espionage-cum-ransomware campaign are unclear, it’s suspected that the threat actors are looking to earn quick profits on the side.
“This could help explain the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad’s loading techniques,” the researchers said. “While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations.”
Update
In a parallel analysis published by Trend Micro, the cybersecurity company said it observed the updated Shadowpad malware being used to deploy the NailaoLocker ransomware after exploiting weak passwords and bypassing multi-factor authentication.
The threat actor is estimated to have targeted 21 companies spread across 15 different countries and five different industries, primarily manufacturing, transportation, and publishing, among others. Two of those incidents led to ransomware.
The new version of the malware incorporates improved anti-debugging techniques, encryption of the payload using the volume serial number that’s unique to the victim’s machine, and the use of DNS-over-HTTPS (DoH) to conceal network communications.
“While these features are not major enhancements of the malware itself, they show that the malware is in active development and that its developers are willing to make their malware analysis harder,” security researcher Daniel Lunghi said.
Trend Micro also attributed the campaign with low confidence to a Chinese advanced persistent threat (APT) group named Teleboyi, citing overlaps in PlugX source code and infrastructure (“dscriy.chtq[.]net”), the latter of which was linked to a long-term espionage campaign codenamed Operation Harvest.
The adversarial collective, active since at least 2015, is assessed to share tactical similarities with other Chinese cyber espionage groups like APT41, Earth Berberoka, and FamousSparrow (aka Salt Typhoon).
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this