A recent report by Symantec’s Threat Hunter Team has shed light on a particularly concerning campaign by a threat actor group dubbed Redfly. This group has been actively compromising critical infrastructure, including a national grid in Asia, using the ShadowPad Trojan. This post aims to dissect the tactics, techniques, and procedures (TTPs) employed by Redfly and offer actionable insights for CNI organizations to bolster their cybersecurity posture.
The ShadowPad Trojan: A Swiss Army Knife for Espionage
ShadowPad is a modular Remote Access Trojan (RAT) that has evolved from its predecessor, the Korplug/PlugX Trojan. Initially sold in underground forums, it has now become a weapon of choice for advanced persistent threat (APT) groups like APT41, also known as Brass Typhoon, Wicked Panda, Winnti, and Red Echo. The Trojan is highly versatile, capable of stealing credentials and compromising multiple computers within a network. The key take away is ShadowPad's modular architecture makes it a potent tool for APT groups, necessitating advanced detection mechanisms that go beyond signature-based solutions.
The Arsenal: Tools and Techniques
Redfly employed a distinct variant of the ShadowPad Trojan, which used the domain websencl[.]com for command-and-control (C2) purposes. The malware also utilized a tool called PackerLoader for loading and executing shellcode, and a keylogger for capturing keystrokes. These tools were strategically placed in directories masquerading as legitimate VMware files, thereby evading detection. The key takeaway is the attackers' use of legitimate file paths and names for malicious tools highlights the need for behavioral analytics in cybersecurity solutions.
The Attack Chain: A Timeline
The first intrusion was detected on February 28, 2023, with the attackers maintaining a presence until August 3, 2023. The attack involved multiple stages, from initial compromise using ShadowPad to lateral movement using tools like ProcDump and Oleview. The attackers also attempted to dump credentials from the Windows registry, indicating a well-planned, multi-stage attack. The long-term presence of the attackers on the network underscores the importance of continuous monitoring and threat hunting to detect and remove intruders.
- Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting behavioral anomalies.
- Zero Trust Architecture: Implement a Zero Trust model to minimize the attack surface.
- Regular Audits: Conduct regular security audits to identify and patch vulnerabilities.
The increasing frequency of attacks on critical infrastructure is a clarion call for bolstering cybersecurity measures. Redfly's campaign serves as a case study in the advanced tactics employed by threat actors, emphasizing the need for a multi-layered security approach.