#Redfly #cyberespionage group continuously targets Asia's critical infrastructure sector with #ShadowPad #malware. Detect associated malicious activity with a set of #SigmaRules in the SOC Prime Platform.

https://socprime.com/blog/shadowpad-trojan-detection-redfly-hackers-apply-a-nefarious-rat-to-hit-national-power-grid-organization-in-asia/

#DFIR #threathunting #cyberattack #BlueTeam #threatdetection #infosec #APT

ShadowPad, also referred to as PoisonPlug, is a modular implant that functions as an extension of the PlugX remote access trojan.

#Cybersecurity #China #Cyberattack #Microsoft #Trojan #Redfly

https://cybersec84.wordpress.com/2023/09/13/chinese-hackers-compromised-nations-critical-grid-in-6-month-shadowpad-campaign/

「 #中国 、またもや他国（インド）の #送電網 で #マルウェア を発見」： The Register

「火曜日、 #Redfly と呼ばれるチームが、# ShadowPad トロイの木馬 を使用してアジアの匿名国家​​の国内ネットワークに侵入し、資格情報を盗み、追加のマルウェアをインストールし、6 か月間持続的にアクセスし続けた間に、感染したネットワーク上の複数のシステムに横方向に移動したと発表しました」

https://www.theregister.com/2023/09/12/china_malware_grid/

#prattohome #TheResister

The Symantec research team uncovered an espionage campaign from the #APT group they track as #Redfly. The group used multiple tools during the campaign which included the #ShadowPad trojan, #Packerloader, and a key logger. They also abused some #LOLBINs to achieve their goals.

Redfly masqueraded ShadowPad in a "VMware" directory and gained persistence by creating a service that ran the malware once the computer started and the keylogger stored its captured keystrokes in a directory that included "Intel" in the path. The APT group used the reg.exe to dump credentials from he SYSTEM, SAM, and SECURITY hive. They also used a renamed version of ProcDump to dump credentials from LSASS. Powershell was also used to gather information on the storage devices attached to the system and finally a scheduled task was created to preform side-loading and lateral movement. #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday