Tag Archive for: PLA

Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA

/in


ShadowPad Malware

Cybersecurity researchers have detailed the inner workings of ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country’s civilian and military intelligence agencies.

“ShadowPad is decrypted in memory using a custom decryption algorithm,” researchers from Secureworks said in a report shared with The Hacker News. “ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality.”

ShadowPad is a modular malware platform sharing noticeable overlaps to the PlugX malware and which has been put to use in high-profile attacks against NetSarang, CCleaner, and ASUS, causing the operators to shift tactics and update their defensive measures.

Automatic GitHub Backups

While initial campaigns that delivered ShadowPad were attributed to a threat cluster tracked as Bronze Atlas aka Barium – Chinese nationals working for a networking security company named Chengdu 404 – it has since been used by multiple Chinese threat groups post 2019.

In a detailed overview of the malware in August 2021, cybersecurity company SentinelOne dubbed ShadowPad a “masterpiece of privately sold malware in Chinese espionage.” A subsequent analysis by PwC in December 2021 disclosed a bespoke packing mechanism – named ScatterBee – that’s used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.

The malware payloads are traditionally deployed to a host either encrypted within a DLL loader or embedded inside a separate file along with a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.

ShadowPad Malware

These DLL loaders execute the malware after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking, a technique that allows the execution of malware by hijacking the method used to look for required DLLs to load into a program.

Select infection chains observed by Secureworks also involve a third file that contains the encrypted ShadowPad payload, which work by executing the legitimate binary (e.g.,…

Source…

China’s PLA blamed for cyberattacks in Japan

/in


The Chinese military is suspected of ordering hackers to attack hundreds of targets in Japan, including the country’s space agency and defense-related firms. Police sent papers to prosecutors on a Chinese Communist Party member on Tuesday on suspicion of forging digital records related to the cyberattacks.

The Tokyo Metropolitan Police Department says the Japan Aerospace Exploration Agency, or JAXA, suffered a cyberattack in 2016. The police identified a Chinese man who had leased several servers in Japan that were allegedly used in the attack.

The man, who is no longer in Japan, is said to be a computer engineer in his 30s. He allegedly rented servers five times under false names.

Investigative sources say the servers’ ID and other credentials were then passed on to a Chinese hacker group known as “Tick.”

Tokyo police suspect the Chinese People’s Liberation Army instructed Tick to stage cyberattacks in Japan. Sources say that about 200 companies and advanced research institutions, including Mitsubishi Electric and Keio University, were targeted.

A JAXA spokesperson told NHK that the space agency did experience unauthorized access, but suffered no data leaks or other damage.

Meanwhile, another Chinese man is also said to have rented several servers in Japan using fake identities. This was allegedly under the instruction of a member of unit 61419 — a bureau in charge of cyberattacks within China’s PLA.

Cyber security expert Iwai Hiroki says Tick is one of the private hacker groups that are believed to work under the instructions of China’s PLA and national security authorities. He says Tick became active in the early 2000s and is thought to target aerospace research entities through sophisticated attacks.

Source…