Cyber Security Threat Summary:
“An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews. Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022. The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems” (The Hacker News, 2023).

According to Trend Micro, the threat actors are promoting malicious installers for E-Office which is an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless. Although it’s unclear how the malicious installers are being distributed, this could be via means of social engineering or phishing emails.

Security Officer Comments:
It seems as though the threat obtained the legitimate installer for E-Office and tampered with it to contain malicious executables. Researchers note three files were added to the installer: Telerik[.]Windows[.]Data[.]Validation[.]dll, mscoree[.]dll, and mscoree[.]dll[.]dat,

“Telerik[.]Windows[.]Data[.]Validation[.]dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload” (The Hacker News, 2023).

Although attribution to a known threat group is currently unclear, ShadowPad has been used by several Chinese threat actors including Earth Akhlut or Earth Lusca. Furthermore, the fact that a modified version of a government application installer was used, suggests that the threat actors are very capable in terms of sophistication.

Suggested Correction(s):
Be wary when downloading software from online, as threat actors will typically host domains offering free software which in reality are infected with malicious executables. Before downloading software, users should ensure it comes from a reputable source. Furthermore, users can also scan these files with anti-virus solutions before proceeding to the installation phase.

IOCs:
https://www.sonicwall.com/support/

Link(s):
https://thehackernews.com/2023/07/pakistani-entities-targeted-in.html