A cyber threat group known as Silver Dragon, with ties to China, has been actively targeting governmental and prominent organizations in Southeast Asia and Europe since mid-2024. Operating as part of the APT41 group, this entity utilizes sophisticated methods to infiltrate systems and gather sensitive information.
Infiltration Tactics and Techniques
Silver Dragon employs a strategic approach to breaching targeted systems. The group exploits vulnerabilities in publicly accessible internet servers and sends phishing emails containing harmful attachments. Once a system is compromised, they deploy Cobalt Strike beacons to establish control over the infected devices.
To communicate commands, Silver Dragon uses DNS tunneling, cleverly disguising their activities within regular network traffic to evade detection. This method, combined with their use of commercial tools, complicates early identification by security defenders.
Distinct Infection Chains
Analysts from Check Point have identified three separate infection chains utilized by Silver Dragon, all leading to the deployment of Cobalt Strike. One chain manipulates AppDomain hijacking, using malicious configuration files to execute alongside legitimate Windows binaries, ensuring persistence.
Another technique involves registering malicious DLLs as Windows services, under names like Bluetooth Update. Additionally, phishing emails with weaponized LNK attachments have been directed at government bodies in Uzbekistan, masquerading as official correspondence.
Advanced Tools and Techniques
Beyond Cobalt Strike, Silver Dragon employs a suite of custom tools for ongoing exploitation. SilverScreen, for instance, captures regular screenshots, while SSHcmd facilitates command execution and file transfers over secure shell. Evidence suggests these tools, with compilation timestamps aligning with the UTC+8 timezone, further indicate a Chinese origin.
The use of Google Drive as a command-and-control channel is another hallmark of Silver Dragon’s tactics. Their tool, GearDoor, routes malicious communications through Google Drive, making them indistinguishable from legitimate traffic. This method leverages file uploads and downloads to execute commands and manage infected machines discreetly.
Recommendations for Defense
Organizations are advised to monitor cloud storage, particularly Google Drive, for unusual activity. It’s crucial to review Windows services for any entries mimicking legitimate system names and enable detection measures for AppDomain hijacking.
Increased phishing awareness training is recommended for government personnel in the targeted regions. Blocking and monitoring of identified command-and-control domains and file hashes can also enhance security measures.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Consider setting CSN as a preferred source for timely updates.
