Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that’s commonly associated with Chinese hacking crews.
Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.
The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems.
The attack chain takes the form of a malicious installer for E-Office, an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless.
It’s currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there’s no evidence to date that the build environment of the Pakistani government agency in question has been compromised.
This raises the possibility that the threat actor obtained the legitimate installer and tampered it to include malware, and then subsequently lured victims into running the trojanized version via social engineering attacks.
“Three files were added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat,” Trend Micro researcher Daniel Lunghi said in an updated analysis published today.
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload.
Trend Micro said the obfuscation techniques used to conceal DLL and the decrypted final-stage malware are an evolution of an approach previously exposed by Positive Technologies in January 2021 in connection with a Chinese cyber espionage campaign undertaken by the Winnti group (aka APT41).
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats?…
