Silver Dragon APT41 Targets Governments with Advanced Techniques

Silver Dragon APT41 Targets Governments with Advanced Techniques

Posted on By CWS

Cybersecurity experts have revealed specifics about Silver Dragon, an advanced persistent threat (APT) group tied to cyber espionage attacks on governmental bodies in Europe and Southeast Asia since mid-2024. This group, operating under the APT41 umbrella, utilizes sophisticated methods like Cobalt Strike beacons and Google Drive for command-and-control (C2) activities.

Methods of Initial Access

Silver Dragon initially infiltrates systems through vulnerabilities in public-facing internet servers and phishing emails with harmful attachments, according to Check Point’s technical analysis. The group maintains its foothold by exploiting legitimate Windows services, enabling malware processes to blend into normal activity unnoticed.

Affiliated with APT41, a notorious Chinese hacking entity active since 2012, Silver Dragon focuses on sectors such as healthcare, telecommunications, and technology for cyber espionage. Additionally, it engages in financially motivated activities that may fall outside state directives.

Infection Chains and Techniques

Three main infection chains are used by Silver Dragon to deliver Cobalt Strike: AppDomain hijacking, service DLL, and phishing attacks. The first two methods involve compressed archives in post-exploitation scenarios, frequently following the breach of exposed servers. These methods use a RAR archive containing a batch script, further deploying tools like MonikerLoader and BamboLoader.

The third chain, a phishing campaign, targets entities like those in Uzbekistan using malicious LNK files. These files execute PowerShell code, enabling further payload deployment, including decoy documents and malicious DLLs that launch Cobalt Strike.

Advanced Post-Exploitation Tools

Silver Dragon employs several tools for post-exploitation, such as SilverScreen for screen monitoring and SSHcmd for remote command execution. GearDoor, a NET backdoor, communicates with Google Drive for C2 operations, using different file extensions to designate tasks and report results.

The backdoor uploads system information as heartbeat files and executes commands received in specific file formats. Each operation’s outcomes are subsequently relayed back to the server, showcasing a complex and adaptable infrastructure.

Implications and Future Outlook

Silver Dragon’s association with APT41 is evident through shared tactics and tools, underscoring the group’s evolving capabilities in cyber warfare. Check Point highlights the group’s proficiency in exploiting vulnerabilities and deploying sophisticated communication methods. As cybersecurity threats grow more intricate, understanding and countering such threats become increasingly crucial for protecting sensitive governmental data.

The Hacker News Tags:, , , , , , , , , , ,

Related Posts

How to Protect the Invisible Identity Access How to Protect the Invisible Identity Access The Hacker News
[Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR [Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR The Hacker News
New React RSC Vulnerabilities Enable DoS and Source Code Exposure New React RSC Vulnerabilities Enable DoS and Source Code Exposure The Hacker News
AI Becomes Russia’s New Cyber Weapon in War on Ukraine AI Becomes Russia’s New Cyber Weapon in War on Ukraine The Hacker News
Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto The Hacker News
CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution The Hacker News