CSC News Table of Contents
Pakistani Entities Targeted in Advanced Supply-Chain Attack with ShadowPad Malware: In a sophisticated cyber attack, Pakistani entities fell victim to a supply-chain attack that delivered ShadowPad malware through a compromised application.
The incident affected a Pakistan government entity, a public sector bank, and a telecommunications provider.
The attack involved tampering with a legitimate software application used by these targets, allowing the threat actor to access sensitive information from compromised systems.
Key Takeaways on Supply-Chain Attack with ShadowPad Malware:
- Pakistani entities targeted in a supply-chain attack deploying ShadowPad malware.
- A compromised application is used by multiple entities to deliver the malware.
- Attribution of the threat actor remains challenging, potentially linked to Chinese threat actors.
A recent cyber attack in Pakistan has raised concerns, as multiple entities, including a government agency, a public sector bank, and a telecommunications provider, have been targeted by an unidentified threat actor.
The attack involved the deployment of ShadowPad malware, known for its association with Chinese hacking groups, through a tampered application.
Trend Micro, a cybersecurity company, discovered the attack, which occurred between mid-February 2022 and September 2022, and it is suspected to be a supply-chain attack.
A Closer Look at the Supply-Chain Attack
In a supply-chain attack, attackers compromise a legitimate software application used by specific targets.
In this case, the threat actor took advantage of the E-Office application, developed by the National Information Technology Board (NITB) of Pakistan, to assist government departments in transitioning to paperless operations.
The backdoored E-Office installer served as the delivery mechanism for the ShadowPad malware, enabling the attacker to collect sensitive data from the infected systems.
Unraveling the Attack Chain
The attack chain involved the inclusion of three files into the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat.
By exploiting DLL side-loading, the attackers managed to sideload mscoree.dll through a valid Microsoft-signed applaunch.exe file. Subsequently, mscoree.dll.dat, housing the ShadowPad payload, was loaded.
Attribution and Connection to Chinese Threat Actors
The attribution of the attack remains challenging due to a lack of concrete evidence. However, similarities in techniques used suggest a possible link to Chinese threat actors.
Although no specific group can be identified with certainty, the presence of ShadowPad in this campaign points to a potential connection to Chinese hacking groups. The attackers’ capabilities and use of recent versions of ShadowPad reinforce this possibility.
Post-Exploitation Activities and Mimikatz
Following the initial compromise, the attackers utilized Mimikatz to extract passwords and credentials from the compromised systems.
This post-exploitation activity suggests a comprehensive and well-planned attack.
The Impact and Response
The attack highlights the need for heightened security measures and vigilance in the face of evolving cyber threats.
Cybersecurity experts urge organizations to remain cautious and employ robust security protocols to safeguard their systems against such attacks.
Conclusion
The cyber attack targeting Pakistani entities with ShadowPad malware through a supply-chain attack raises concerns about the vulnerability of critical systems.
As attribution remains challenging, it is vital for organizations to bolster their cybersecurity measures and adopt proactive approaches to thwart potential attacks.
