Cybersecurity experts have revealed specifics about Silver Dragon, an advanced persistent threat (APT) group tied to cyber espionage attacks on governmental bodies in Europe and Southeast Asia since mid-2024. This group, operating under the APT41 umbrella, utilizes sophisticated methods like Cobalt Strike beacons and Google Drive for command-and-control (C2) activities.
Methods of Initial Access
Silver Dragon initially infiltrates systems through vulnerabilities in public-facing internet servers and phishing emails with harmful attachments, according to Check Point’s technical analysis. The group maintains its foothold by exploiting legitimate Windows services, enabling malware processes to blend into normal activity unnoticed.
Affiliated with APT41, a notorious Chinese hacking entity active since 2012, Silver Dragon focuses on sectors such as healthcare, telecommunications, and technology for cyber espionage. Additionally, it engages in financially motivated activities that may fall outside state directives.
Infection Chains and Techniques
Three main infection chains are used by Silver Dragon to deliver Cobalt Strike: AppDomain hijacking, service DLL, and phishing attacks. The first two methods involve compressed archives in post-exploitation scenarios, frequently following the breach of exposed servers. These methods use a RAR archive containing a batch script, further deploying tools like MonikerLoader and BamboLoader.
The third chain, a phishing campaign, targets entities like those in Uzbekistan using malicious LNK files. These files execute PowerShell code, enabling further payload deployment, including decoy documents and malicious DLLs that launch Cobalt Strike.
Advanced Post-Exploitation Tools
Silver Dragon employs several tools for post-exploitation, such as SilverScreen for screen monitoring and SSHcmd for remote command execution. GearDoor, a NET backdoor, communicates with Google Drive for C2 operations, using different file extensions to designate tasks and report results.
The backdoor uploads system information as heartbeat files and executes commands received in specific file formats. Each operation’s outcomes are subsequently relayed back to the server, showcasing a complex and adaptable infrastructure.
Implications and Future Outlook
Silver Dragon’s association with APT41 is evident through shared tactics and tools, underscoring the group’s evolving capabilities in cyber warfare. Check Point highlights the group’s proficiency in exploiting vulnerabilities and deploying sophisticated communication methods. As cybersecurity threats grow more intricate, understanding and countering such threats become increasingly crucial for protecting sensitive governmental data.
