New Cyber Threat Campaign Targets European Healthcare Sector with Advanced Ransomware Techniques
A newly identified threat actor has launched a campaign aimed at European organizations, particularly within the healthcare industry. This operation, dubbed “Green Nailao” by Orange Cyberdefense CERT, utilizes the PlugX and ShadowPad malware, with the final stage involving the deployment of the NailaoLocker ransomware.
This campaign exploits a recently patched vulnerability in Check Point network security products, specifically identified as CVE-2024-24919, which carries a CVSS score of 7.5. Attacks transpired from June to October 2024, facilitating unauthorized access to sensitive networks. The exploitation of this security flaw enabled malicious actors to retrieve user credentials, granting them a legitimate avenue to connect via VPN.
The intruders employed DLL search-order hijacking techniques to introduce ShadowPad and PlugX into compromised systems. Orange Cyberdefense highlighted that these implants are commonly associated with cyber operations backed by Chinese state actors. Following the initial breach, the threat actors performed extensive network reconnaissance and lateral movements using remote desktop protocol (RDP), eventually obtaining elevated privileges.
Once they gained control, the attackers executed a legitimate executable named “logger.exe” to sideload a malicious DLL (“logexts.dll”), which facilitates the activation of a newer variant of ShadowPad. Prior attack patterns observed in August 2024 revealed a similar methodology, where a McAfee executable was used for DLL side-loading.
The malware identified in this operation features advanced obfuscation tactics and anti-debugging measures. It establishes communication with remote servers, granting persistent access to the systems of the affected organizations. Evidence suggests that the threat actors sought to exfiltrate data through the file system, creating ZIP archives during their operation.
The culmination of these efforts involved utilizing Windows Management Instrumentation (WMI) to transmit files necessary for the ransomware operation. These files included a legitimate executable from Beijing Huorong Network Technology Co., Ltd, a loader named NailaoLoader, and NailaoLocker itself. Once sideloaded through “usysdiag.exe,” the ransomware encrypts files and appends the “.locked” extension, concluding with a ransom note instructing victims to make payments via Bitcoin.
Researchers have characterized NailaoLocker as relatively basic and poorly designed, seemingly lacking proper mechanisms to ensure effective encryption. This inadequacy raises questions regarding the ultimate goals of the attackers, who appear to be targeting quick profits.
Orange Cyberdefense has attributed this campaign with medium confidence to a Chinese-aligned group, citing the use of ShadowPad and DLL side-loading techniques common to known Chinese threat actors. Trends in the tactics employed resemble those of prior incidents linked to a distinct Chinese intrusion set tracked by Sophos as Cluster Alpha.
Recent analyses from Trend Micro indicate that the updated ShadowPad malware has advanced in sophistication. The malware now employs better anti-debugging techniques and can utilize unique volume serial numbers to encrypt payloads, alongside DNS-over-HTTPS for concealing network communications. This development highlights an ongoing commitment to enhancing operational security and complicating industry efforts to defend against such attacks.
While the primary motivations behind these cyber assaults remain ambiguous, it is evident that they aim to blend espionage tactics with ransomware strategies. This dual approach may provide actors with lucrative opportunities to exploit vulnerable systems while simultaneously gathering intelligence for future operations.
As business owners and decision-makers prioritize cybersecurity measures, understanding the tactics employed in these types of campaigns, such as initial access and DLL sideloading from the MITRE ATT&CK framework, can inform better defenses against increasingly sophisticated threats.
