China-Linked Cyber Espionage Group Targeting South American Nations

China-based cyber-espionage actor DEV-0147 has been observed expanding its data exfiltration operations to compromise diplomatic targets in South America, according to Microsoft’s Security Intelligence team.

The group, which has traditionally targeted government agencies and think tanks in Asia and Europe, is using post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, as well as the use of Cobalt Strike penetration testing tool for command and control and data exfiltration.

Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. Organizations are advised to enforce Multi-Factor Authentication (MFA) to protect themselves from the threat actor.

The group deploys ShadowPad, a Remote Access Trojan (RAT), to achieve persistence. It uses QuasarLoader, a Webpack loader, to download and execute additional malware. ShadowPad has been associated with other China-based Advanced Persistent Threat (APT) actors such as APT23, APT41, Axiom, Dagger Panda, Earth Lusca, Tonto Team, and Wet Panda. ShadowPad is decrypted in memory using a custom decryption algorithm.

In September last year, an attack on an unnamed organization that took advantage of a flaw in software from WSO2 to deliver ShadowPad was observed by the NCC group. Earlier last year, in June, cybersecurity firm Kaspersky reported having observed a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries such as Pakistan, Afghanistan, and Malaysia. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems.