SentinelLabs of SentinelOne has observed and defended a malicious campaign targeting public sector organizations and global industries, including their own organization
Based on the official blog released, there are 6 activities that have been observed and tracked to the activity of cluster PurpleHaze and ShadowPad.
_____________________________
A. Nature of Malicious Campaign
ShadowPad Cluster
SentinelLabs has uncovered a sophisticated campaign targeting a South Asian government and an IT services and logistics company with ties to SentinelOne. The attack was attributed to APT41, which leveraged an obfuscated ShadowPad variant known as ScatterBrain. Several samples from this campaign were also reported by security vendors including Trend Micro, Orange Cyberdefense, and Check Point.
In one observed activity, a sample named “AppSov.exe” was used to download a malicious file called “x.dat” via a PowerShell command. Once executed, the file collects sensitive user data, copies the files to a temporary folder, compresses them using 7-Zip with password protection, and exfiltrates the archive via a cURL POST request.
PurpleHaze Cluster
The PurpleHaze activity cluster leveraged the GOREshell backdoor and an Operational Relay Box (ORB) network to conduct cyberespionage, targeting a South Asian government entity and on SentinelOne. Meanwhile, the attack on a European media organization was attributed to UNC5174, which exploited CVE-2024-8963 and CVE-2024-8190 to establish an initial foothold.
_____________________________
B. Indicators of Compromise (IOCs)
| FILES | |
| Webshell | 106248206f1c995a76058999ccd6a6d0f420461e |
| GOREshell (snapd) | 411180c89953ab5e0c59bd4b835eef740b550823 |
| Nimbo-C2 agent (PfSvc.exe) | 4896cfff334f846079174d3ea2d541eec72690a0 |
| ShadowPad | 5ee4be6f82a16ebb1cf8f35481c88c2559e5e41a |
| GOREshell (update-notifier) | 7dabf87617d646a9ec3e135b5f0e5edae50cd3b9 |
| GOREshell | a31642046471ec138bb66271e365a01569ff8d7f |
| ShadowPad | a88f34c0b3a6df683bb89058f8e7a7d534698069 |
| ShadowPad | aa6a9c25aff0e773d4189480171afcf7d0f69ad9 |
| ShadowPad | c43b0006b3f7cd88d31aded8579830168a44ba79 |
| GOREshell (glib-2.0.dll) | cb2d18fb91f0cd88e82cb36b614cfedf3e4ae49b |
| Legitimate VMWare executable (VGAuthService.exe) | cbe82e23f8920512b1cf56f3b5b0bca61ec137b9 |
| GOREshell | ebe6068e2161fe359a63007f9febea00399d7ef3 |
| ShadowPad (AppSov.exe) | f52e18b7c8417c7573125c0047adb32d8d813529 |
| DOMAINS | |
| cloud.trendav[.]co | Suspected PurpleHaze infrastructure |
| downloads.trendav[.]vip | GOREshell C2 server |
| dscriy.chtq[.]net | ShadowPad C2 server |
| epp.navy[.]ddns[.]info | GOREshell C2 server |
| mail.ccna[.]organiccrap[.]com | GOREshell C2 server |
| mail.secmailbox[.]us | Suspected PurpleHaze infrastructure |
| network.oossafe[.]com | Suspected ShadowPad C2 server |
| news.imaginerjp[.]com | ShadowPad C2 server |
| notes.oossafe[.]com | Suspected ShadowPad C2 server |
| secmailbox[.]us | Suspected PurpleHaze infrastructure |
| sentinelxdr[.]us | Suspected PurpleHaze infrastructure |
| tatacom.duckdns[.]org | C2 server |
| trendav[.]vip | Suspected PurpleHaze infrastructure |
| updata.dsqurey[.]com | ShadowPad C2 server |
| IP ADDRESSES | |
| 103.248.61[.]136 | Malware hosting location |
| 107.173.111[.]26 | GOREshell C2 server |
| 128.199.124[.]136 | C2 server |
| 142.93.212[.]42 | Suspected PurpleHaze infrastructure |
| 142.93.214[.]219 | GOREshell C2 server |
| 143.244.137[.]54 | Suspected PurpleHaze infrastructure |
| 45.13.199[.]209 | Exfiltration IP address |
| 65.38.120[.]110 | ShadowPad C2 server |
| URLs | |
| https[://]45.13.199[.]209/rss/rss.php | Exfiltration URL |
_____________________________
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Regularly apply necessary updates and patches to mitigate future threats, especially public-facing assets.
- Proactively monitor the logs and network traffic to the identified systems and devices for any suspicious/malicious activities
- Install an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
- Indicator of compromise is available in the official report for threat hunting and blocking purposes.
- Conduct third-party audits to service providers for security compliance to help identify and mitigate potential security risks.
- For additional information, kindly refer to the official report
- https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/