A China-linked cyber group, known as SHADOW-EARTH-053, has orchestrated a sophisticated espionage operation targeting government bodies and critical infrastructure across Asia. The campaign, first identified in December 2024, has affected entities in at least eight countries.
Exploiting Vulnerabilities for Initial Access
The attackers exploit unpatched vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) servers to gain initial access. Particularly, the ProxyLogon vulnerability chain, comprising CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, is targeted. Despite available patches, many organizations still operate unpatched servers, making them prime targets.
Once access is obtained, the group uses web shells like GODZILLA to establish persistent backdoors, enabling remote command execution. This stealthy approach allows them to remain undetected within the networks for extended periods.
Advanced Malware and Techniques
Trend Micro researchers Daniel Lunghi and Lucas Silva have identified the use of ShadowPad implants as a key component in this campaign. ShadowPad, a modular backdoor initially linked to APT41 and shared among China-aligned groups, is central to the attackers’ strategy. The campaign also involves IOX proxy for covert communications and Windows Management Instrumentation Command-line (WMIC) for lateral movements.
Researchers uncovered another cluster, SHADOW-EARTH-054, showing similar attack patterns and tool hashes. Nearly half of the targeted networks were compromised by both clusters, affecting countries including Pakistan, Thailand, Malaysia, India, and others.
Technical Insights into the Attack
A notable aspect of the campaign is the loading mechanism of ShadowPad via a DLL sideloading technique. Malicious DLLs are placed alongside legitimate signed executables from vendors like Toshiba, Samsung, and Microsoft. When these programs are executed, they inadvertently load the malicious DLLs.
The attackers maintain persistence through a scheduled task named “M1onltor,” which runs the sideloaded binary with elevated privileges. WMIC is then employed to deploy additional backdoors, and tools like Mimikatz are used to harvest credentials.
Defensive Measures and Future Outlook
Organizations using Microsoft Exchange or IIS servers are urged to apply the latest security patches promptly. If immediate patching is not feasible, implementing Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with virtual patching rules is advised. Security teams should monitor critical web directories for unauthorized changes and review EDR telemetry for suspicious activities.
Constant vigilance and proactive measures are crucial in mitigating the risks posed by such sophisticated cyber threats. As cyber espionage tactics evolve, organizations must remain agile in their defense strategies to safeguard against future attacks.
