Hackers Deploy Shadowpad Backdoor and Target Industrial Control Systems in Asia

Russian cybersecurity firm Kaspersky uncovered an attack campaign targeting unpatched Microsoft Exchange servers in different Asian countries.

According to an advisory released by the company on Monday, once they gained initial access via the above vulnerabilities, the threat actors deployed the ShadowPad malware on the industrial control systems (ICS) of telecommunications companies in Pakistan and Afghanistan and a logistics and a transport organization in Malaysia.

Kaspersky said it first spotted the threat in October 2021, with the hackers exploiting the CVE-2021-26855 vulnerability in Microsoft Exchange. However, signs of the attacks on affected systems seem to date back as far as March 2021.

“During the investigation, researchers uncovered larger-scale activity by the threat actor in the network of the telecommunications company and also identified other victims of the campaign,” reads the advisory.

Throughout the attack campaign, the ShadowPad backdoor was reportedly downloaded to victim computers as the mscoree.dll file, which was, in turn, launched by a legitimate executable file named AppLaunch.exe.

Attackers would then launch ShadowPad using DLL hijacking in OleView, a legitimate OLE-COM object viewing application. Once they gained the initial foothold into the system, the threat actors would send commands manually, then automatically.

Additional tools used by the hackers during these cyber-attacks reportedly include the CobaltStrike framework, the PlugX backdoor and various BAT files. A complete list is available in the original text of the advisory.

In terms of attribution, Kaspersky said the newly identified attacks on a variety of organizations had an almost totally unique set of tactics, techniques and procedures (TTP).

“The attackers’ TTP enabled us to link these attacks to a Chinese-speaking threat actor, and we observed victims located in different regions. This means that the actor we have identified may have broader geographical interests and we could expect more victims to be discovered in different countries in the future.”

At the time of writing, however, the antivirus company said they could not be sure of the ultimate goal of the attacker, but they think it may be data harvesting.

“We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries.”

What’s Hot on Infosecurity Magazine?