Dev-0147 Expands Operations to South America with Naplistener 

DEV-0147, a group believed to be state-sponsored by China, has been observed targeting diplomatic entities in South America using common espionage and exfiltration tools such as ShadowPad, which is frequently used by other Chinese threat actors. Microsoft reports that this new campaign represents an expansion of the group’s data exfiltration operations, which have previously focused on targeting government agencies and think tanks in Asia and Europe. 

The group has been using sophisticated tools such as ShadowPad remote access trojans (RAT) for infiltration and persistence, as well as the QuasarLoader tool to download and execute additional malware payloads. For data exfiltration and command and control (C2) communication, it has utilized Cobalt Strike. Post-exploitation activities include the abuse of on-premises identity infrastructure for further reconnaissance and lateral movement. Experts believe that the group may use phishing and exploit unpatched applications as initial attack vectors. 

State-Sponsored Threat Groups Tactics 

State-sponsored threat groups, such as those believed to be linked to China, are typically highly skilled and well-resourced. They may use a range of tactics to achieve their objectives, including spear-phishing, social engineering, and the use of advanced malware and backdoors. In recent years, several Chinese espionage groups have been observed using ShadowPad for their attack campaigns. 

ShadowPad is a remote access tool that allows attackers to gain remote access to targeted networks, steal sensitive data, monitor user activity, and carry out other malicious activities. Other tools commonly used by Chinese threat groups include the Gh0st RAT, Poison Ivy, and PlugX. 

Recent analysis indicates that ShadowPad is being used by several Chinese threat groups affiliated with the Ministry of State Security (MSS) and the People’s Liberation Army (PLA), including Earth Lusca, Winnti (also known as APT41), Tonto Team, and Space Pirates. These groups are using custom decryption algorithms in ShadowPad based on distinct encryption algorithms used in multiple variants. 

When targeting diplomatic entities, state-sponsored threat groups may have a specific political or strategic objective in mind. This may include stealing sensitive information, monitoring diplomatic communications, or disrupting diplomatic activities. 

To evade detection, the threat group tracked as REF2924 has been observed deploying previously unseen malware named NAPLISTENER, a Hypertext Transfer Protocol (HTTP) listener designed to evade network-based forms of detection. Code analysis suggests that the group borrows or repurposes code from open-source projects hosted on GitHub to develop its own tools, which indicates that REF2924 may be actively honing a range of cyber weapons. 

How to Protect your Organization 

To effectively defend against these threat groups, organizations are advised to monitor for known tactics, techniques and procedures (TTPs) associated with ShadowPad and other tools used by Chinese threat groups. It is important to implement strong security measures such as multi-factor authentication, network segmentation, and regular security assessments. Organizations should also prioritize employee training on best practices for identifying and avoiding phishing attacks and other social engineering tactics commonly used by these threat groups. 

References: 
1. https://www.darkreading.com/threat-intelligence/custom-naplistener-malware-network-based-detection-sleep 

2. https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html 

3. https://cyware.com/news/chinese-espionage-group-dev-0147-targets-diplomatic-entities-in-south-america-085a1297 

4. https://thehackernews.com/2023/02/chinese-hackers-targeting-south.html 

5. https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns