A Chinese-aligned cyberespionage group, Moshen Dragon, has been observed infiltrating legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro.
Chinese threat actors usually focus on espionage activity,” SentinelOne’s Joey Chen said. “Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products.”
This is a “masterpiece of privately sold malware in Chinese espionage,” associated with several Chinese malicious actors.
A National Security Threat
The Chinese government-sponsored hacking group, Bronze Atlas (aka APT41, Barium, or Winnti), has been around since as early as 2017. Several other China-linked threat actors have increasingly joined up with their threat profiles along the way.
Secureworks said that Chinese nation-state groups operate in conjunction with the Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA).
Moshen Dragon attacks commercial antivirus software from BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload malware known as ShadowPad and Talisman via compromised systems by means of a technique called DLL search order hijacking.
The hijacked DLL is dropped into the system by an executable program, that “self disappears” to decrypt and load the final payload that resides in the same folder as that of the antivirus executable. The threat is persistent by creating a running scheduled task or a service at the operating system services level.
Stealing Credentials and Private Information
Other tactics by the group include deploying otherwise known hacking tools and red team scripts to facilitate credential theft, lateral movement, and data exfiltration. The initial access vector remains unclear.
“Once the attackers have established a foothold in an organization, they proceed with lateral movement by within a network, placing a passive backdoor into the victim’s environment, harvesting as many credentials as possible to ensure unlimited access, and focusing on data exfiltration,” Chen said.
Now I understand what my friend meant when, upon using his anti virus software, he tried unsuccessfully to understand the results of his virus scan, and exclaimed in frustration, “It’s Chinese to me!”
It was anyway – the virus was mass-produced there – like everything (and patented in the US by Grauci YMCH”SHM)
Our President could put an end to this.
His son has many high level connections in China, and perhaps even knows the communist Chairman Chinkpink (a.k.a Eleven) personally.
One phone call, or a gift of his latest grand artwork, could achieve serious results.
Hi. Can you put me in touch with Ron Benvenisti in regard to a recent hack I experienced?