The activities of Chinese hackers from Moshen Dragon were analyzed by SentinelOne, a company specializing in endpoint security. Experts compared the methods of attackers’ attacks and found matches with the methods of the RedFoxtrot and Nomad Panda groups.
SentinelOne reported back in early May that hackers were using antiviruses to sideload malicious DLLs and deliver malware to the systems of organizations, most of which were located in Central Asia.
“Moshen Dragon hackers regularly used antiviruses to intercept DLL searches. The intercepted DLL was used to decrypt and load the final payload stored in the same folder, but in a different file,” SentinelOne experts explained.
SentinelOne named Symantec, Trend Micro, Bitdefender, McAfee and Kaspersky products as targets of the attackers’ attacks. But only Trend Micro discovered and fixed the vulnerability, deploying a security update via the ActiveUpdate system on May 19. The company’s experts stated in their report that they found no evidence of the vulnerability being used against their commercial and business products.
Recall that we previously wrote about the Moshen Dragon attacks on the telecommunications sector of Central Asia. Hackers downloaded ShadowsPad and PlugX malware into the victims’ systems, and also used the Guns backdoor.