A previously unidentified threat activity cluster has been discovered targeting European organizations, particularly those in the healthcare sector. The attackers deploy PlugX and its successor, ShadowPad, which ultimately lead to the deployment of a ransomware called NailaoLocker in some cases.
The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, exploits a newly patched security flaw in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The attacks were observed between June and October 2024.
According to Orange Cyberdefense CERT, “the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions,” in a technical report shared with The Hacker News.
The initial access, afforded by the exploitation of vulnerable Check Point instances, allows the threat actors to retrieve user credentials and connect to the VPN using a legitimate account.
In the next stage, the attackers carry out network reconnaissance and lateral movement via remote desktop protocol (RDP) to obtain elevated privileges. They then execute a legitimate binary (“logger.exe”) to sideload a rogue DLL (“logexts.dll”), which serves as a loader for a new version of the ShadowPad malware.
Previous iterations of the attacks detected in August 2024 have been found to leverage similar tradecraft to deliver PlugX, which also employs DLL side-loading using a McAfee executable (“mcoemcpy.exe”) to sideload “McUtil.dll.”
Like PlugX, ShadowPad is a privately sold malware that’s exclusively used by Chinese espionage actors since at least 2015. The variant identified by Orange Cyberdefense CERT features sophisticated obfuscation and anti-debug measures, alongside establishing communication with a remote server to create persistent remote access to victim systems.
There is evidence to suggest that the threat actors attempted to exfiltrate data by accessing the file system and creating ZIP archives. The intrusions culminate with the use of Windows Management Instrumentation (WMI) to transmit three files: a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd (“usysdiag.exe”), a loader named NailaoLoader (“sensapi.dll”), and NailaoLocker (“usysdiag.exe.dat”).
Once again, the DLL file is sideloaded via “usysdiag.exe” to decrypt and trigger the execution of NailaoLocker, a C++-based ransomware that encrypts files, appends them with a “.locked” extension, and drops a ransom note that demands victims to make a bitcoin payment or contact them at a Proton Mail address.
According to researchers Marine Pichon and Alexis Bonnefoi, “NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption.
“It does not scan network shares, it does not stop services or processes that could prevent the encryption of certain important files, [and] it does not control if it is being debugged.”
Orange has attributed the activity with medium confidence to a Chinese-aligned threat actor owing to the use of the ShadowPad implant, the use of DLL side-loading techniques, and the fact that similar ransomware schemes have been attributed to another Chinese threat group dubbed Bronze Starlight.
Furthermore, the use of “usysdiag.exe” to sideload next-stage payloads has been previously observed in attacks mounted by a China-linked intrusion set tracked by Sophos under the name Cluster Alpha (aka STAC1248).
While the exact goals of the espionage-cum-ransomware campaign are unclear, it’s suspected that the threat actors are looking to earn quick profits on the side.
According to the researchers, “this could help explain the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad’s loading techniques.
“While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations.”
