Dev-0147 Expands Operations to South America with Naplistener
DEV-0147, a group believed to be state-sponsored by China, has been observed targeting diplomatic entities in South America using common espionage and exfiltration tools such as ShadowPad, which is frequently used by other Chinese threat actors. Microsoft reports that this new campaign represents an expansion of the group’s data exfiltration operations, which have previously focused on targeting government agencies and think tanks in Asia and Europe.
The group has been using sophisticated tools such as ShadowPad remote access trojans (RAT) for infiltration and persistence, as well as the QuasarLoader tool to download and execute additional malware payloads. For data exfiltration and command and control (C2) communication, it has utilized Cobalt Strike. Post-exploitation activities include the abuse of on-premises identity infrastructure for further reconnaissance and lateral movement. Experts believe that the group may use phishing and exploit unpatched applications as initial attack vectors.
State-Sponsored Threat Groups Tactics
State-sponsored threat groups, such as those believed to be linked to China, are typically highly skilled and well-resourced. They may use a range of tactics to achieve their objectives, including spear-phishing, social engineering, and the use of advanced malware and backdoors. In recent years, several Chinese espionage groups have been observed using ShadowPad for their attack campaigns.
ShadowPad is a remote access tool that allows attackers to gain remote access to targeted networks, steal sensitive data, monitor user activity, and carry out other malicious activities. Other tools commonly used by Chinese threat groups include the Gh0st RAT, Poison Ivy, and PlugX.
Recent analysis indicates that ShadowPad is being used by several Chinese threat groups affiliated with the Ministry of State Security (MSS) and the People’s Liberation Army (PLA), including Earth Lusca, Winnti (also known as APT41), Tonto Team, and Space Pirates. These groups are using custom decryption algorithms in ShadowPad based on distinct encryption algorithms used in multiple variants.
When targeting diplomatic entities, state-sponsored threat groups may have a specific political or strategic objective in mind. This may include stealing sensitive information, monitoring diplomatic communications, or disrupting diplomatic activities.
To evade detection, the threat group tracked as REF2924 has been observed deploying previously unseen malware named NAPLISTENER, a Hypertext Transfer Protocol (HTTP) listener designed to evade network-based forms of detection. Code analysis suggests that the group borrows or repurposes code from open-source projects hosted on GitHub to develop its own tools, which indicates that REF2924 may be actively honing a range of cyber weapons.
How to Protect your Organization
To effectively defend against these threat groups, organizations are advised to monitor for known tactics, techniques and procedures (TTPs) associated with ShadowPad and other tools used by Chinese threat groups. It is important to implement strong security measures such as multi-factor authentication, network segmentation, and regular security assessments. Organizations should also prioritize employee training on best practices for identifying and avoiding phishing attacks and other social engineering tactics commonly used by these threat groups.
References:
1. https://www.darkreading.com/threat-intelligence/custom-naplistener-malware-network-based-detection-sleep
2. https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html
4. https://thehackernews.com/2023/02/chinese-hackers-targeting-south.html
5. https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- Webinar
Analyst-Led, AI-Assisted: The Future of Cybersecurity Defense
Discover how human expertise and AI innovation are transforming the way organizations combat cyber t... - Webinar
Critical Start Platform Updates
We are excited to announce the latest enhancements to Critical Start’s Cyber Operations Risk &... - Datasheet
Critical Start Asset Visibility
Critical Start Asset Visibility gives you a single source of truth for your asset inventory, uncover...
RESOURCE CATEGORIES
- Buyer's Guides(1)
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- Interview(51)
- MDR Services(77)
- MobileSOC(9)
- News(5)
- Press Release(96)
- Research Report(11)
- Security Assessments(4)
- Thought Leadership(20)
- Threat Hunting(3)
- Video(1)
- Vulnerability Disclosure(1)