Ethical Hacking News
Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware, a previously unknown threat activity cluster that targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker.
Researchers at Orange Cyberdefense CERT identified a new threat activity cluster targeting European healthcare organizations with PlugX, ShadowPad, and NailaoLocker malware. The attack exploited a vulnerable Check Point security flaw (CVE-2024-24919) to gain initial access and deploy malware via DLL side-loading. ShadowPad is a privately sold malware exclusively used by Chinese espionage actors since 2015, featuring sophisticated obfuscation and anti-debug measures. The NailaoLocker ransomware is relatively unsophisticated and poorly designed, with its use of "usysdiag.exe" to sideload payloads previously observed in other attacks. Organizations are advised to patch vulnerable security products, implement robust intrusion detection and prevention systems, and conduct regular vulnerability scans to minimize the impact of such incidents.
In a concerning development, researchers at Orange Cyberdefense CERT have identified a previously unknown threat activity cluster that targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker. The campaign, codenamed Green Nailao, involved the exploitation of a new-patched security flaw in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5).
The initial access afforded by exploitation of vulnerable Check Point instances is said to have allowed the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account. In the next stage, the attackers carried out network reconnaissance and lateral movement via remote desktop protocol (RDP) to obtain elevated privileges, followed by executing a legitimate binary ("logger.exe") to sideload a rogue DLL ("logexts.dll") that then serves as a loader for a new version of the ShadowPad malware.
Previous iterations of the attacks detected in August 2024 have been found to leverage similar tradecraft to deliver PlugX, which also employs DLL side-loading using a McAfee executable ("mcoemcpy.exe") to sideload "McUtil.dll." Like PlugX, ShadowPad is a privately sold malware that's exclusively used by Chinese espionage actors since at least 2015. The variant identified by Orange Cyberdefense CERT features sophisticated obfuscation and anti-debug measures, alongside establishing communication with a remote server to create persistent remote access to victim systems.
Once again, the DLL file is sideloaded via "usysdiag.exe" to decrypt and trigger the execution of NailaoLocker, a C++-based ransomware that encrypts files, appends them with a ".locked" extension, and drops a ransom note that demands victims to make a bitcoin payment or contact them at a Proton Mail address. Researchers Marine Pichon and Alexis Bonnefoi have noted that "NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption." The malware does not scan network shares, it does not stop services or processes that could prevent the encryption of certain important files, [and] it does not control if it is being debugged.
The use of "usysdiag.exe" to sideload next-stage payloads has been previously observed in attacks mounted by a China-linked intrusion set tracked by Sophos under the name Cluster Alpha (aka STAC1248). While the exact goals of the espionage-cum-ransomware campaign are unclear, it's suspected that the threat actors are looking to earn quick profits on the side.
"This could help explain the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad's loading techniques," the researchers said. "While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations."
The campaign is attributed to a Chinese-aligned threat actor owing to the use of the ShadowPad implant, the use of DLL side-loading techniques, and the fact that similar ransomware schemes have been attributed to another Chinese threat group dubbed Bronze Starlight.
In light of this new threat activity cluster, it is essential for organizations, particularly those in the healthcare sector, to take immediate action to strengthen their security posture. This includes patching vulnerable Check Point instances, implementing robust intrusion detection and prevention systems, and conducting regular vulnerability scans to identify potential weaknesses before they can be exploited by attackers.
Furthermore, the use of endpoint protection software that can detect and respond to ransomware attacks is crucial in minimizing the impact of such incidents. Organizations should also ensure that their backup systems are regularly tested and verified to prevent data loss in case of an attack.
In conclusion, the ShadowPad and NailaoLocker campaign highlights the growing threat landscape of Chinese-linked attackers exploiting vulnerabilities in security products to deploy malware and ransomware. It is essential for organizations to stay vigilant and take proactive measures to strengthen their security posture against such threats.
Related Information:
https://thehackernews.com/2025/02/chinese-linked-attackers-exploit-check.html
https://nvd.nist.gov/vuln/detail/CVE-2024-24919
https://www.cvedetails.com/cve/CVE-2024-24919/
Published: Thu Feb 20 07:37:15 2025 by llama3.2 3B Q4_K_M
