Cybersecurity researchers have disclosed particulars of a complicated persistent menace (APT) group dubbed Silver Dragon that has been linked to cyber assaults focusing on entities in Europe and Southeast Asia since a minimum of mid-2024.
“Silver Dragon features its preliminary entry by exploiting public-facing web servers and by delivering phishing emails that comprise malicious attachments,” Verify Level stated in a technical report. “To take care of persistence, the group hijacks legit Home windows companies, which permits the malware processes to mix into regular system exercise.”
Silver Dragon is assessed to be working throughout the APT41 umbrella. APT41 is the cryptonym assigned to a prolific Chinese language hacking group recognized for its focusing on of healthcare, telecoms, high-tech, schooling, journey companies, and media sectors for cyber espionage as early as 2012. It is also believed to have interaction in financially motivated exercise probably exterior of state management.
Assaults mounted by Silver Dragon have been discovered to primarily single out authorities entities, with the adversary utilizing Cobalt Strike beacons for persistence on compromised hosts. It is also recognized to make use of strategies like DNS tunneling for command-and-control (C2) communication to bypass detection.
Verify Level stated it recognized three completely different an infection chains to ship Cobalt Strike: AppDomain hijacking, service DLL, and email-based phishing.
“The primary two an infection chains, AppDomain hijacking and Service DLL, present clear operational overlap,” the cybersecurity firm stated. “They’re each delivered by way of compressed archives, suggesting their use in publish‑exploitation situations. In a number of circumstances, these chains had been deployed following the compromise of publicly uncovered susceptible servers.”
The 2 chains make use of a RAR archive containing a batch script, with the primary chain utilizing it to drop MonikerLoader, a .NET-based loader chargeable for decrypting and executing a second-stage instantly in reminiscence. The second stage, for its half, mimics MonikerLoader’s habits, appearing as a conduit for loading the ultimate Cobalt Strike beacon payload.
However, the service DLL chain makes use of a batch script to ship a shellcode DLL loader dubbed BamboLoader, which is registered as a Home windows service. A closely obfuscated C++ malware, it is used to decrypt and decompress shellcode staged on disk, and inject it right into a legit Home windows course of, akin to “taskhost.exe.” The binary focused for injection is configurable inside BamboLoader.
The third an infection chain entails a phishing marketing campaign that has primarily focused Uzbekistan with malicious Home windows shortcuts (LNK) as attachments. The weaponized LNK file is designed to launch PowerShell code via “cmd.exe,” resulting in the extraction and execution of next-stage payloads. This consists of 4 completely different information –
- Decoy doc
- Professional executable susceptible to DLL side-loading (“GameHook.exe”)
- Malicious DLL aka BamboLoader (“graphics-hook-filter64.dll”)
- Encrypted Cobalt Strike payload (“simhei.dat”)
As a part of this marketing campaign, the decoy doc is exhibited to the sufferer, whereas, within the background, the rogue DLL is sideloaded by way of “GameHook.exe” to in the end launch Cobalt Strike. The assaults are additionally characterised by the deployment of assorted post-exploitation instruments –
- SilverScreen, a .NET screen-monitoring software used to seize periodic screenshots of consumer exercise, together with exact cursor positioning.
- SSHcmd, a .NET command-line SSH utility that gives distant command execution and file switch capabilities over SSH.
- GearDoor, a .NET backdoor that shares similarities with MonikerLoader and communicates with its C2 infrastructure by way of Google Drive.
As soon as executed, the backdoor authenticates to the attacker-controlled Google Drive account and uploads a heartbeat file containing primary system data. Curiously, the backdoor makes use of completely different file extensions to point the character of the duty to be carried out on the contaminated host. The outcomes of the duty execution are captured and uploaded to Drive.
- *.png, to ship heartbeat information.
- *.pdf, to obtain and execute instructions, checklist the contents of a listing, make a brand new listing, and take away all information inside a specified listing. The outcomes of the operation are despatched to the server within the type of a *.db file.
- *.cab, to obtain and execute instructions to assemble host data and an inventory of operating processes, enumerate information and directories, run instructions by way of “cmd.exe” or scheduled duties, add information to Google Drive, and terminate the implant. The execution standing is uploaded as a .bak file.
- *.rar, to obtain and execute payloads. If the RAR file is called “wiatrace.bak,” the backdoor treats it as a self-update package deal. The outcomes are uploaded as .bak information.
- *.7z, to obtain and execute plugins in reminiscence. The outcomes are uploaded as .bak information.
Silver Dragon’s hyperlinks to APT41 stem from tradecraft overlaps with post-exploitation set up scripts beforehand attributed to the latter and the truth that the decryption mechanism utilized by BamboLoader has been noticed in shellcode loaders linked to China-nexus APT exercise.
“The group constantly evolves its tooling and strategies, actively testing and deploying new capabilities throughout completely different campaigns,” Verify Level stated. “Using various vulnerability exploits, customized loaders, and complex file-based C2 communication displays a well-resourced and adaptable menace group.”
