Cyber Security Threat Summary:
An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers” (Bleeping Computer, 2023).

ShadowPad is a widely used trojan in use by many APT groups, but Symantec has tracked Redfly using this malware exclusively to attack critical national infrastructure. The variant of ShadowPad used in these attacks masquerades it’s components as exe or dll VMware files, placing them on the victim’s filesystem. The malware achieves persistence by creating services named after VMware, and launches the malicious executables and DLLs upon system reboot.

ShadowPad is a remote access trojan that supports data exfiltration, keystroke recording, file searching and file operations, and allows for remote code execution. In the observed attacks, Redfly used a separate keylogging tool that captured keystrokes in log files on the breached system, which the attackers retrieved manually. The group also used a tool called Packerloader, which loads and executed shellcode inside AES encrypted files to evade antivirus detection. The tool was used in this case to modify a driver file’s permissions, which created credential dumps in the Windows registry, it was also used to wipe Windows security event logs.

Redfly also uses PowerShell to execute commands that help them gather details about specific storage devices on the compromised system.

“For lateral movement, the hackers use DLL side-loading and legitimate executables, scheduled tasks executing legitimate binaries, and stolen credentials. Redfly also employed renamed versions of known tools, like ProcDump, to dump credentials from LSASS and then use them to authenticate on adjacent systems” (Bleeping Computer, 2023).

Security Officer Comments:
Symantec says the lengthy dwell time seen in this attack is common with espionage actors who infect systems and keep a low profile to collect as much information as possible. It is unclear if the attackers actually intended to disrupt the power supply, but the potential risk poses a significant threat.

This is not the first time researchers have found malware on energy sector systems. "Attacks against CNI targets are not unprecedented. Almost a decade ago, Symantec uncovered the Russian-sponsored Dragonfly group's attacks against the energy sector in the U.S. and Europe," concluded Symantec's report. The Sandworm group has also carried out attacks against electricity distribution networks in Ukraine, which directly impacted electricity supplies.

Attacks against electricity infrastructure can cause extensive damages, impacting customers, health and human safety, and could have a profound economic impact for an entire nation.

MITRE ATT&CK:

T1588.001 - Obtain Capabilities: Malware ShadowPad is a modular remote access Trojan (RAT) that was designed as a successor to the Korplug/PlugX Trojan, and was, for a period of time, sold in underground forums. However, despite its origins as a publicly available tool, it was only sold publicly for a very short time reportedly to a handful of buyers. It has since been closely linked to espionage actors.

T1078 - Valid Accounts The attackers managed to steal credentials and compromise multiple computers on the organization’s network.

T1036.004 - Masquerading: Masquerade Task or Service It copied itself to disk in the following locations, masquerading as VMware files and directories to mask its purpose (there is no other evident association with VMware products):

• C:\ProgramData\VMware\RawdskCompatibility\virtual\vmrawdsk[.]exe
• C:\ProgramData\VMware\RawdskCompatibility\virtual\mscoree[.]dll

T1543.003 - Create or Modify System Process: Windows Service Persistence is achieved by creating a service that is configured to start with Windows on boot-up:

• ServiceName: VMware Snapshot Provider Service
• DisplayName: VMware Snapshot Provider Service
• ServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
• StartType: SERVICE_AUTO_START
• BinaryPathName: C:\ProgramData\VMware\RawdskCompatibility\virtual\vmrawdsk[.]exe

T1218.011 - System Binary Proxy Execution: Rundll32 A suspicious Windows batch file (file name: 1[.]bat) was executed. Shortly afterwards, PackerLoader was executed via rundll32 from the %TEMP% directory with some command-line arguments:

rundll32 %TEMP\%packerloader[.]dll WorkProc E10ADC3949BA59ABBE56E057F20F883E

T1059.001 - Command and Scripting Interpreter: PowerShell Several hours later a suspicious PowerShell command was executed and used to gather information on the storage devices attached to the system. Specifically it was designed to look for DriveType=3 (Read/Write Supported) and gather details on available space. T1003.001 - OS Credential Dumping: LSASS Memory The attackers returned and used a renamed version of ProcDump (file name: alg.exe) to dump credentials from LSASS.

alg[.]exe -accepteula -ma lsass[.]exe z1[.]dmp

T1053.005 - Scheduled Task/Job: Scheduled Task A scheduled task is used to execute oleview[.]exe, mostly likely to perform side-loading and laterally movement. Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems. The command specified that Oleview was to be executed on a remote machine using the task name (TendView) at 07:30 a.m. It appears the attackers likely used stolen credentials in order to spread their malware onto other machines within the network.

schtasks /create /s \\[REMOVED] /u [REMOVED] /P [REMOVED] /tr "CSIDL_PROFILE\[REMOVED]\appdata\local\temp\oleview[.]exe" /tn TrendView /st 07:30 /sc once /ru " " /f

T1056.001 - Input Capture: Keylogging The attackers also employed a keylogger, which was installed under various file names on different computers, including winlogon[.]exe and hphelper[.]exe. The keylogger was configured to store captured keystrokes in the following location:

%SYSTEMROOT%\Intel\record[.]log

T1071.001 - Application Layer Protocol: Web Protocols A distinct variant of the ShadowPad Trojan was used in this attack. It utilized the domain websencl[.]com for command-and-control (C&C) purposes.

Link(s):
https://symantec-enterprise-blogs
https://www.bleepingcomputer.com/ne...ltrated-power-suppliers-network-for-6-months/