Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Ink Dragon Compromises European IIS Networks to Distribute ShadowPad Malware
A Chinese hacking group, identified as Ink Dragon, has compromised European government networks, utilizing them as relay nodes to execute commands and facilitate further cyber operations. This marks a notable shift in their tactics, as the group previously focused primarily on targets in Asia and South America.
According to security firm Check Point, this operation represents the first instance of Ink Dragon targeting European networks. The firm asserts that Ink Dragon employs compromised organizations for command and control, enabling them to leverage European victims to launch attacks not only on other European institutions but also within regions such as Africa and Southeast Asia.
The cyber campaign initiated by the attackers capitalized on vulnerabilities within web-facing applications, including exploiting the Microsoft SharePoint ToolShell exploit. This technique is indicative of the initial access phase in the MITRE ATT&CK framework, where attackers deceive users into execution or obtain access through vulnerable software.
Additionally, the hackers employed ViewState code injection, leveraging ASP.NET to exploit features that maintain webpage states during user interactions to introduce malicious code. Such tactics indicate a blend of persistence techniques aimed at maintaining access to compromised systems.
To establish their relay networks, the attackers deployed ShadowPad, a sophisticated backdoor commonly associated with Chinese state-sponsored cyber activities. This variant of ShadowPad registers new URL listeners directly through the Microsoft HttpAddUrl application program interface, allowing attackers to intercept incoming HTTP requests and operate the compromised servers like legitimate Internet Information Services (IIS), thus obscuring their activities within regular traffic.
As noted by Check Point researchers, this approach results in an implant that harmonizes with the server’s normal communications, while still maintaining complete control over a covert command-and-control channel. The attackers have also utilized affected European networks as intermediaries, providing access points for ShadowPad clients to operate within different target environments.
Further complicating the threat landscape, hackers deployed a previously unidentified version of FinalDraft, a remote access Trojan that leverages a Microsoft Graph API feature in Outlook to intercept OAuth tokens. This method effectively hides command-and-control traffic within legitimate cloud mail communications, allowing the malware to exist undetected within network infrastructures for extended durations.
In summary, the activities of Ink Dragon align with broader Chinese intelligence objectives geared towards long-term espionage, focusing on sectors of strategic importance such as government and public service infrastructure. The sophisticated methodologies and technologies employed by this hacking group underscore the pressing need for organizations to fortify their cybersecurity defenses against such persistent threats.
