Go to listing page

Chinese Espionage Group DEV-0147 Targets Diplomatic Entities in South America

Chinese Espionage Group DEV-0147 Targets Diplomatic Entities in South America
Researchers have spotted yet another Chinese state-sponsored group, DEV-0147, targeting diplomatic entities in South America. The group uses typical espionage and exfiltration tools, including ShadowPad, which are commonly preferred by several Chinese attackers.

About DEV-0147

Microsoft Security Intelligence team describes the campaign as an expansion of the group's operations. Traditionally, the threat actor is known for targeting government agencies and think tanks in Asia and Europe.
  • DEV-0147 has been observed deploying ShadowPad RAT for infiltration and persistence.
  • It further deployed another Webpack loader tool, called QuasarLoader, that allows it to download and execute additional malware payloads onto the compromised hosts.
  • For data exfiltration and C2 communication, it used Cobalt Strike. Post-exploitation activities involved the abuse of on-premises identity infrastructure for further reconnaissance and lateral movement.
  • Experts suspect that the group uses phishing and exploits unpatched applications as initial attack vectors.

Chinese hackers love ShadowPad

In the past few years, several Chinese espionage groups have been observed leveraging ShadowPad backdoor for their attack campaigns.
  • An analysis of recent samples of ShadowPad indicates that it is used by several threat groups affiliated with the Chinese civilian intelligence agency Ministry of State Security (MSS) and the People's Liberation Army (PLA).
  • Based on distinct encryption algorithms used in multiple variants, it is assumed that multiple Chinese groups, including Earth Lusca, Winnti (aka APT41), Tonto Team, and Space Pirates are using custom decryption algorithms in ShadowPad.

Conclusion

DEV-0147 is yet another Chinese group, after Earth Lusca, Winnti, Tonto Team, and Space Pirates, leveraging ShadowPad for their attacks. This indicates that this tool is yielding them good success. Therefore, organizations are suggested to monitor for the known TTPs associated with the ShadowPad backdoor and the other tools used by these groups and stay ahead of the threat.
Cyware Publisher

Publisher

Cyware