Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Ink Dragon Compromised IIS Networks to Relay ShadowPad Malware
A Chinese hacking group is using compromised European government networks as relay nodes to route commands and support other hacking operations.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Security firm Check Point attributed the campaign to a Chinese cyberespionage group it tracks as “Ink Dragon.” The latest campaign is the first time the group has been observed targeting European networks. Previously, it mainly targeted victims in Asia and South America.
A key aspect of Ink Dragon’s tradecraft, the firm said, is its use of compromised organizations for command and control. “As a result, we have observed European victims being leveraged to launch activity not only against additional European institutions, but also against targets in Africa and Southeast Asia.”
The campaign began with attackers exploiting flaws in web-facing applications include the Microsoft SharePoint ToolShell exploit (see: Breach Roundup: Did China Have a Sneak Peek Into ToolShell?).
Hackers also performed ViewState code injection, using ASP.NET to exploit features that preserve webpages such as forms during lulls of user interaction in order to inject malicious code.
To build the relay networks, the attackers deployed ShadowPad, a backdoor platform associated with Chinese nation-state hacking. Unlike other malware backdoors, the Ink Dragon ShadowPad variant registers new URL listeners directly through the Microsoft HttpAddUrl application program interface – allowing the attackers to intercept incoming HTTP requests. That allowed ShadowPad to function as a legitimate Internet Information Services server, providing appropriate responses while also processing incoming traffic meant for the backdoor.
“The result is a hard-to-detect implant that blends into the server’s normal traffic patterns while retaining full control over its hidden C2 channel,” Check Point researchers said.
In some cases, the attackers use the compromised European networks as a hop that served as an access node for ShadowPad clients active in other target environments.
Hackers also deployed a previously unseen version of FinalDraft, a remote access Trojan that exploits a Microsoft Graph API feature in Outlook to intercept OAuth tokens, as well as hide command-and-control traffic inside legitimate cloud mail flows.
“It blends its traffic into legitimate cloud and email communication channels, allowing the group to operate inside networks for extended periods without raising suspicion,” Eli Smadja, group manager, Check Point Research said about the FinalDraft variant. The malware is “purpose-built for silent, long-term espionage.”
The Ink Dragon activities align with the broader Chinese intelligence objective of long-term espionage focused on sectors of strategic value such as government and public service infrastructure networks, Smadja said.