Cyber Security Threat Summary:
An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers” (Bleeping Computer, 2023).
ShadowPad is a widely used trojan in use by many APT groups, but Symantec has tracked Redfly using this malware exclusively to attack critical national infrastructure. The variant of ShadowPad used in these attacks masquerades it’s components as exe or dll VMware files, placing them on the victim’s filesystem. The malware achieves persistence by creating services named after VMware, and launches the malicious executables and DLLs upon system reboot.
ShadowPad is a remote access trojan that supports data exfiltration, keystroke recording, file searching and file operations, and allows for remote code execution. In the observed attacks, Redfly used a separate keylogging tool that captured keystrokes in log files on the breached system, which the attackers retrieved manually. The group also used a tool called Packerloader, which loads and executed shellcode inside AES encrypted files to evade antivirus detection. The tool was used in this case to modify a driver file’s permissions, which created credential dumps in the Windows registry, it was also used to wipe Windows security event logs.
Redfly also uses PowerShell to execute commands that help them gather details about specific storage devices on the compromised system.
“For lateral movement, the hackers use DLL side-loading and legitimate executables, scheduled tasks executing legitimate binaries, and stolen credentials. Redfly also employed renamed versions of known tools, like ProcDump, to dump credentials from LSASS and then use them to authenticate on adjacent systems” (Bleeping Computer, 2023).
Security Officer Comments:
Symantec says the lengthy dwell time seen in this attack is common with espionage actors who infect systems and keep a low profile to collect as much information as possible. It is unclear if the attackers actually intended to disrupt the power supply, but the potential risk poses a significant threat.
This is not the first time researchers have found malware on energy sector systems. "Attacks against CNI targets are not unprecedented. Almost a decade ago, Symantec uncovered the Russian-sponsored Dragonfly group's attacks against the energy sector in the U.S. and Europe," concluded Symantec's report. The Sandworm group has also carried out attacks against electricity distribution networks in Ukraine, which directly impacted electricity supplies.
Attacks against electricity infrastructure can cause extensive damages, impacting customers, health and human safety, and could have a profound economic impact for an entire nation.
T1588.001 - Obtain Capabilities: Malware ShadowPad is a modular remote access Trojan (RAT) that was designed as a successor to the Korplug/PlugX Trojan, and was, for a period of time, sold in underground forums. However, despite its origins as a publicly available tool, it was only sold publicly for a very short time reportedly to a handful of buyers. It has since been closely linked to espionage actors.
T1078 - Valid Accounts The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
T1036.004 - Masquerading: Masquerade Task or Service It copied itself to disk in the following locations, masquerading as VMware files and directories to mask its purpose (there is no other evident association with VMware products):
- ServiceName: VMware Snapshot Provider Service
- DisplayName: VMware Snapshot Provider Service
- ServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
- StartType: SERVICE_AUTO_START
- BinaryPathName: C:\ProgramData\VMware\RawdskCompatibility\virtual\vmrawdsk[.]exe
rundll32 %TEMP\%packerloader[.]dll WorkProc E10ADC3949BA59ABBE56E057F20F883E
alg[.]exe -accepteula -ma lsass[.]exe z1[.]dmp
schtasks /create /s \\[REMOVED] /u [REMOVED] /P [REMOVED] /tr "CSIDL_PROFILE\[REMOVED]\appdata\local\temp\oleview[.]exe" /tn TrendView /st 07:30 /sc once /ru " " /f