Threat Research

Redfly: Espionage Actors Continue to Target Critical Infrastructure

Securonix

Symantec’s Threat Hunter Team links the Redfly espionage group to a ShadowPad-based intrusion targeting a national grid in Asia, with credentials stolen and multiple hosts compromised over as long as six months. The campaign features a ShadowPad variant, Packerloader for shellcode delivery, DLL side-loading via a legitimate VMware-related binary, a keylogger, and extensive credential dumping, echoing prior APT activity against critical infrastructure. #ShadowPad #Redfly #APT41 #BrassTyphoon #WickedPanda #Winnti #RedEcho #VoltTyphoon #NationalGrid

Keypoints

  • Redfly conducted a ShadowPad-based intrusion against a national grid in an Asian country, maintaining presence for up to six months and stealing credentials across multiple machines.
  • ShadowPad is described as a modular remote access Trojan linked to various espionage actors, with connections to prior campaigns attributed to APT41 and related clusters.
  • A distinct ShadowPad variant used a domain websencl[.]com for command-and-control (C2).
  • Persistence was achieved by creating a Windows service named “VMware Snapshot Provider Service” that starts on boot.
  • Shellcode delivery and payload loading relied on Packerloader, which decrypts scripts/payloads via AES-ECB using a key retrieved from registry or a temp file.
  • The attackers deployed a keylogger (e.g., winlogon.exe, hphelper.exe) and performed extensive credential dumping (registry hives and LSASS) across the intrusion timeline.

MITRE Techniques

  • [T1071.001] Web Protocols – Used a domain for C2; “It utilized the domain websencl[.]com for command-and-control (C&C) purposes.”
  • [T1543.003] Create or Modify System Process – Persistence via a Windows service: “ServiceName: VMware Snapshot Provider Service” that starts on boot.
  • [T1574.002] DLL Side-loading – DLL side-loading using displayswitch.exe: “a legitimate binary named displayswitch.exe was executed. It was likely being used to perform DLL side-loading.”
  • [T1053.005] Scheduled Task – Lateral movement / persistence via scheduled task: “schtasks /create … /tr …” with TendView task.
  • [T1059.003] Windows Command Shell – Batch file execution: “a suspicious Windows batch file (file name: 1.bat) was executed.”
  • [T1059.001] PowerShell – Script execution: “powershell -executionpolicy ByPass -command …”
  • [T1003.001] OS Credential Dumping – LSASS dumping via ProcDump: “alg.exe -accepteula -ma lsass.exe z1.dmp”
  • [T1003.004] Credential Dumping from Registry – Registry dumps: “reg save HKLMSYSTEM system.save” and related keys.
  • [T1027] Obfuscated/Compressed Files and Information – Payload decryption with AES-ECB: “decrypt the loaded payload with the AES algorithm in ECB mode …”
  • [T1036] Masquerading – Masquerading as VMware files/directories: “masquerading as VMware files and directories to mask its purpose.”
  • [T1056] Input Capture – Keylogging: “The attackers also employed a keylogger, which was installed …”
  • [T1082] System Information Discovery – Disk/storage discovery via Get-WmiObject Win32_LogicalDisk: “gather information on the storage devices attached to the system.”
  • [T1562.001] Impair Defenses: Clear Windows Event Logs – Clearing logs via wevtutil: “wevtutil cl security”
  • [T1550.002] Credentials in Registry – Credentials dumped from registry hives via reg save: “reg save HKLMSAM sam.save”
  • [T1036] Masquerading (additional) – Use of VMware-related filenames to hide activity: “C:ProgramDataVMwareRawdskCompatibilityvirtualvmrawdsk.exe”
  • [T1070.004] File Deletion or Inhibit System Recovery – Clearing event logs indicates attempts to hinder detection: “clear the Windows security event logs.”
  • [T1036] Virtualization/VMware Referencing – Files named as VMware-related artifacts to mask activity.

Indicators of Compromise

  • [Domain] websencl[.]com – C2 domain used by ShadowPad variant
  • [File name] virtualvmrawdsk.exe, virtualmscoree.dll – masquerading as VMware components
  • [File] tmp.bin – payload storage candidate
  • [Registry] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionHomeGroupPublishedMessageOfflineCache”AKey” – key to derive decryption key
  • [Registry] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionHomeGroupPublishedMessageOfflineCache”SData” – payload source
  • [File] packerloader.dll – loader used to decrypt and execute shellcode
  • [File] 1.bat – Windows batch file used in intrusion
  • [File] displayswitch.exe – used for DLL side-loading
  • [File] oleview.exe – remote execution via Task/Lateral movement
  • [File] alg.exe – renamed ProcDump used for LSASS dumping
  • [File] yara32.exe – renamed ProcDump used for LSASS dumping
  • [File] winlogon.exe, hphelper.exe – keylogger variants
  • [Service] VMware Snapshot Provider Service – persistence mechanism
  • [Log/Command] wevtutil cl security – clearing security logs to cover tracks

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks