Threat Research

New Wave of Espionage Activity Targets Asian Governments

Securonix

Symantec details a new espionage campaign targeting Asian governments that uses DLL side-loading of legitimate software to load payloads, followed by credential theft and network-wide movement with a wide toolkit. The activity, spanning April–July 2022, hit a government-owned education-sector organization in Asia and leveraged living-off-the-land tools and multiple payloads to expand access and privileges.
#DLLSideLoading #BitdefenderCrashHandler #LadonGo #Mimikatz #ProcDump #ShadowPad #Korplug #PlugX #TrochilusRAT #QuasarRAT #APT41 #MustangPanda #ZeroLogon

Keypoints

  • Attackers use DLL side-loading to run malicious payloads via legitimate applications, a core initial access technique.
  • Credential theft is central, with Mimikatz and ProcDump used to harvest credentials from LSASS and related sources.
  • Network discovery and lateral movement rely on LadonGo, PsExec, and various network-scanning tools to identify and compromise additional hosts.
  • Living-off-the-land and aged/legitimate software (e.g., Crash Handler, calc.exe) are leveraged to load tools and evade detection.
  • Active Directory data access is pursued through NTDS dumps and AD snapshots to obtain user credentials and logs.
  • Privilege escalation occurs via Netlogon exploitation (CVE-2020-1472) and related domain compromises.
  • A broad payload ecosystem is deployed, including Infostealer.Logdatter and multiple RATs (PlugX/Korplug, TrochilusRAT, QuasarRAT) and Ladon.

MITRE Techniques

  • [T1574.001] DLL Side-Loading – Attackers place a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having installed it themselves in most cases). The legitimate application then loads and executes the payload. “a well-known technique that involves attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having installed it themselves in most cases). The legitimate application then loads and executes the payload.”
  • [T1003.001] Credential Dumping – The attackers use Mimikatz and ProcDump to steal credentials. “Once backdoor access is gained, the attackers use Mimikatz and ProcDump to steal credentials.”
  • [T1021.002] Remote Services: Windows Admin Shares – PsExec is used to run old versions of legitimate software and load additional malware via DLL side-loading on other machines. “They then use PsExec to run old versions of legitimate software, which are then used to load additional malware tools such as off-the-shelf RATS via DLL side-loading on other computers on the networks.”
  • [T1046] Network Service Scanning – Network scanning tools identify other computers of interest, such as those running RDP. “They then launched network scanning tools to find other computers … such as those running RDP.”
  • [T1021.001] Remote Services: Remote Desktop Protocol – Lateral movement reconnaissance targets RDP-enabled hosts. “machines with RDP services running … to exploit or log in to those machines.”
  • [T1059.003] Windows Command Shell – Command prompts were opened during reloading of Crash Handler. “The attackers then launched several command prompts while reloading Crash Handler.”
  • [T1055] Process Injection – Code injection is used to load payloads into processes. “code injection: Reading a file and injecting the contained code into a process.”
  • [T1068] Exploitation for Privilege Escalation – Netlogon vulnerability (CVE-2020-1472) used to escalate privileges. “to elevate privileges” and “Netlogon vulnerability (CVE-2020-1472) against two other computers in the organization to elevate privileges.”
  • [T1003.003] NTDS – Mounting AD snapshots to access AD databases and logs. “mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files.”
  • [T1016] System Network Configuration Discovery – DNS enumeration via Dnscmd to list zones. “Dnscmd is a Microsoft command-line tool for managing DNS servers… The enumzones command is used to list the zones that exist on the specified DNS server.”
  • [T1021.001] RDP – Discovery of machines with RDP services, enabling lateral movement possibilities. “RDP services running” (context of scanning and leveraging later).

Indicators of Compromise

  • [IP] 88.218.193.76 – used to host malware
  • [IP] 8.214.122.199 – network activity associated with the campaign
  • [IP] 103.56.114.69 – network activity associated with the campaign
  • [IP] 27.124.17.222 – network activity associated with the campaign
  • [IP] 27.124.3.96 – network activity associated with the campaign
  • [SHA256] 386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd – Bitdefender Crash Handler (loading payload via side-loading)
  • [SHA256] 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9 – Mimikatz
  • [SHA256] 12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133 – Ladon
  • [SHA256] 2f1520301536958bcf5c65516ca85a343133b443db9835a58049cd1694460424 – ProcDump
  • [File Name] imjpuex.exe – malicious loader used to initiate side-loading
  • [File Name] imjputyc.dll – DLL loaded by imjpuex.exe
  • [File Name] imjputyc.dat – payload loaded into memory
  • [Domain] REDACTED_DOMAIN – domain context used in DNS-related activity

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments