Cyber: Apt41-linked Silver Dragon Targets Governments Using Cobalt Strike...

Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon that has been linked to cyber attacks targeting entities in Europe and Southeast Asia since at least mid-2024.

"Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments," Check Point said in a technical report. "To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity."

Silver Dragon is assessed to be operating within the APT41 umbrella. APT41 is the cryptonym assigned to a prolific Chinese hacking group known for its targeting of healthcare, telecoms, high-tech, education, travel services, and media sectors for cyber espionage as early as 2012. It's also believed to engage in financially motivated activity potentially outside of state control.

Attacks mounted by Silver Dragon have been found to primarily single out government entities, with the adversary using Cobalt Strike beacons for persistence on compromised hosts. It's also known to employ techniques like DNS tunneling for command-and-control (C2) communication to bypass detection.

Check Point said it identified three different infection chains to deliver Cobalt Strike: AppDomain hijacking, service DLL, and email-based phishing.

"The first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap," the cybersecurity company said. "They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers."

The two chains make use of a RAR archive containing a batch script, with the first chain using it to drop MonikerLoader, a NET-based loader responsible for decrypting and executing a second-stage directly in memory. The second stage, for its part, mimics MonikerLoader's behavior, acting as a conduit for loading the final Cobalt Strike beacon payload.

On the other hand, the service DLL chain uses a batch script to deliver a shellcode DLL loader dubbed BamboLoader, which is registered as a Windows service. A heavily obfuscated C++ malware, it's used to decrypt and decompress shellcode staged on disk, and inject it into a legitimate Windows process, such as "taskhost.exe." The binary targeted for injection is configurable within BamboLoa

Source: The Hacker News