A Chinese threat group, a recent offshoot of APT41, has been actively engaged in cyber-espionage campaigns targeting various organizations. This group has been utilizing phishing attacks to compromise systems, allowing them to hijack services for command-and-control (C2) operations and maintain a persistent presence, effectively camouflaging their activities.
Known as Silver Dragon, this group has been monitored by researchers at Check Point Software since at least mid-2024. They primarily focus on government entities in Southeast Asia and Europe, with cyber-espionage being their main objective, as detailed in a report released on Tuesday.
According to Check Point, Silver Dragon primarily conducts its malicious activities through existing servers and services. The initial access is gained by exploiting publicly accessible Internet servers and sending phishing emails containing malicious attachments. To ensure persistence, the group hijacks legitimate Windows services, allowing the delivered malware to blend seamlessly into typical system operations.
Check Point has linked Silver Dragon to the prominent Chinese advanced persistent threat (APT) group APT41, indicating that even in its early stages, Silver Dragon has demonstrated a level of sophistication that suggests a capacity for sustained operations.
Throughout their analysis, Check Point observed that the group consistently evolves its tools and techniques, actively testing and deploying new capabilities across various campaigns. The use of diverse vulnerability exploits, custom loaders, and advanced file-based C2 communication highlights the group's well-resourced and adaptable nature.
Silver Dragon's Infection Chains
Check Point identified that Silver Dragon uses one of three infection chains to gain initial access to targeted networks. The first two methods, AppDomain hijacking and Service DLL, show operational similarities. Both are delivered through compressed archives and are often utilized in post-exploitation scenarios, especially following the compromise of publicly exposed vulnerable servers.
These chains rely on delivering a RAR archive containing an installation batch script that the attackers execute, indicating a shared delivery mechanism.
The third method involves a phishing campaign that uses a malicious LNK file as an attachment. This tactic is associated with Silver Dragon due to the use of similar loaders, collectively referred to as "BamboLoader." In one case, attackers sent phishing emails to government entities in Uzbekistan, impersonating official correspondence and including weaponized LNK attachments.
Once a system is compromised, the group employs Service DLL hijacking. This technique allows malicious code to conceal itself within legitimate Windows services, aiming for long-term persistence while evading standard security measures.
Custom Hacking Tools
The malware utilized by Silver Dragon includes Cobalt Strike beacons, which help establish an initial foothold on compromised systems, and a DNS tunneling tool for C2 communication to evade network-level detection, as reported by Check Point.
Recent attacks also introduced a new custom backdoor named GearDoor. This backdoor utilizes Google Drive as its C2 channel to enable covert communication over a trusted cloud service.
In addition, Silver Dragon has two other significant tools: SSHcmd and SilverScreen. SSHcmd is a command-line utility designed to facilitate remote access and lateral movement within compromised networks. SilverScreen, on the other hand, is a surveillance tool created to capture periodic screenshots of user activity, enabling attackers to monitor sensitive information in real-time.
A Formidable Cyber Threat
Check Point revealed that Silver Dragon's activities exhibit strong similarities to those of APT41, particularly in their use of BamboLoader and post-exploitation installation scripts. APT41, also known by various names such as Double Dragon and Winnti, has been under surveillance by security researchers since at least 2012. This group is notorious for its espionage activities on behalf of the Chinese government and has even gone to the extent of impersonating a US lawmaker during significant US-China trade interactions last year.
While Silver Dragon is expected to focus more on strategic espionage rather than financial gain, its unique approach of using legitimate system resources to mask its operations makes it a significant threat. Organizations, especially those in the public sector, should prioritize patching Internet-facing systems to protect against known vulnerabilities. Additionally, they should monitor for unauthorized changes to Windows service configurations and be vigilant for indicators of compromise (IoCs), which Check Point has provided in their report.
