Telecom service providers from Central Asia are the newest targets of a China-based cyberespionage group dubbed Moshen Dragon after cybersecurity experts detected new waves of malicious activities from them.
Security researchers found some common grounds between Moshen Dragon and other threat groups like Nomad Panda and RedFoxtrot since they have all utilised similar malware variants like the ShadowPad and PlugX. Nonetheless, differences still show in the threat groups’ attack campaigns.
Based on experts’ analysis, the Moshen Dragon gang is capable of adjusting its methods subject to the cyber defences they encounter during a campaign.
Furthermore, the threat operators sideload the malicious Windows DLL into the targeted machines’ antivirus solutions, infiltrate into networks for lateral movements, and then collect data and credentials once the machines have been compromised.
Several antivirus solutions, including McAfee, Symantec, TrendMicro, Kaspersky, and Bitdefender, are the recorded targets of the currently identified infection vector since these products run on high privileges within the Windows OS. The hackers could sideload malicious DLL into these AV products to allow them to run codes with few restrictions and bypass security detection.
The Moshen Dragon gang extensively utilises this attack vector to launch a Python kit called Impacket, which is made to control the lateral movement and remote code execution (RCE) through the Windows Management Instrumentation (MWI).
The gang also make the most out of Impacket since it can aid in stealing data of their victims.
Since the hackers have accessed the machine’s connected networks, they can drop another passive loader onto them, capable of confirming if it is inside a correct machine before activating through hostname and hardcoded value comparison.
This process implies that the gang can generate a unique DLL for each targeted machine. Thus, experts believe that Moshen Dragon is a sophisticated and diligent threat group.
In related news, experts have also detected that the loader utilised by Moshen Dragon was also found last December 2021 being used against a US government system. They presume that China-based APTs frequently use the loader or that they shift their focus to multiple targets.
