According to Trend Micro, the targets included a Pakistan government entity, a public sector bank and a telecommunications provider. This change took place between mid-February 2022 and September 2022.
The cyber security company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest was trojaned to deploy malware capable of gathering sensitive information from compromised systems.
The attack series took the form of a malicious installer for e-Office, an application developed by Pakistan’s National Information Technology Board (NITB) to help government departments go paperless.
It is not clear at the moment how the e-Office installer was backdoored to the target. To date, there is no evidence that the built environment of a Pakistani government agency has been compromised, he said.
This increases the likelihood that the threat actor obtained the legitimate installer and tampered with it to include the malware, and then later used social engineering attacks to lure victims into running the Trojan version.
“Three files were added to the validating MSI installer: telerik.windows.data.validation.dll, mscoree.dll, and mscoree.dll.dat,” Trend Micro researcher Daniel Lunghi said in an updated analysis published today.
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll, which in turn uses mscoree.dll is used to sideload. dll.dat loads the ShadowPad payload.
Trend Micro said obfuscation techniques used to hide DLLs and decrypted end-stage malware were first exposed by Positive Technologies in January 2021 in connection with a Chinese cyber espionage campaign run by Vinnati Group (aka apt41) Attitude Development it was done.
In addition to ShadowPad, post-exploitation activities have grown to include the use of Mimikatz to dump passwords and credentials from memory.
A lack of evidence has made it difficult to attribute responsibility to a known threat actor, although the cyber security company said it discovered malware samples such as the Deed RAT attributed to the Space Pirates (or webworm) threat actor.
“This entire campaign was the result of a very capable threat actor who managed to retrieve and modify a government application’s installer to compromise at least three sensitive targets,” Lungi said.
“The fact that the threat actor has access to a recent version of ShadowPad potentially links it to a nexus of Chinese threat actors, although we cannot point to any specific group with confidence.”
