New evidence is emerging to support an apparent trend of the once-distinct border between nation-state cyber-spying groups and financially motivated cybercriminals is becoming increasingly porous.
Threat intelligence units with Trend Micro and Orange Cyberdefense CERT this week reported detecting campaigns in which the bad actors deployed PlugX and its successor, ShadowPad – both tools linked to China-backed cyberespionage activity – in ransomware attacks in Europe, with Trend Micro researchers seeing similar incidents in the Middle East, Asia, and South America.
“ShadowPad is known for its widespread usage in cyberespionage campaigns against government entities, academic institutions, energy organizations, think tanks, or technology companies,” Cyberdefense researchers Marine Pichon and Alexis Bonnefoi wrote in their report. “This modular backdoor is suspected to be privately shared or sold among Chinese APTs since 2015 at least.”
They added that “the deployment of a ransomware payload after the use of traditional cyberespionage tools is quite surprising.”
Mixing ShadowPad with Ransomware
In his report, Trend Micro researcher Daniel Lunghi wrote that in November 2024, the cybersecurity firm responded to two incidents in Europe that involved the use of ShadowPad in conjunction with a previously undetected ransomware. Eventually Trend Micro researchers found 21 companies – more than half of them being in the manufacturing sector – in nine countries that were victims of similar attacks over seven months.
Other targets were in such industries as transportation, energy, banking, and publishing.
Clearer Picture of a Blurring Threat
Both reports echo similar findings by other cybersecurity vendors. Trellix last month wrote about the “distinction between nation-state actors and organized cybercriminals becoming increasingly blurred in our rapidly evolving cyber landscape. … Recent evidence suggests an unsettling convergence of tactics, techniques, and even objectives, making it challenging to distinguish between them.”
The going convergence is making it more difficult for threat analysts to attribute activity to particular threat groups and raises questions about how cyberthreats are evolving and how it could affect global security, Trellix researcher Tomer Shloman wrote.
Earlier this month, Google’s Threat Intelligence Group issued its own report on the merging of the two sides of the cyberthreat coin, writing that “a new and stronger approach recognizing the cybercriminal threat as a national security priority requiring international cooperation.”
Meanwhile, Symantec’s linked a ransomware attack on a software and services company in Asia to a number of espionage incidents foreign ministries in Europe and other targets, suggesting the hackers behind the ransomware attack likely were members of a Chinese state-sponsored group that was “moonlighting” by using their handlers’ tools to make some money for themselves.
Manufacturing Sector Targeted
In two cases Trend Micro investigated, the hackers access the victims’ networks and then deployed ShadowPad. In both incidents, the bad actors followed with an unreported ransomware family, an unusual move by threat groups that use ShadowPad. That said, Lunghi noted that in 2022, Google’s Mandiant unit reported that APT41 – a state-sponsored espionage group linked to China’s security apparatus – had deployed Encryptor RaaS ransomware previously.
“We don’t know the ultimate goal of the threat actor,” he wrote. “However, it is possible that some of this targeting is related to intellectual property theft. Additionally, we are aware of some cases where the threat actor deployed a ransomware family.”
In both incidents, the bad actor dumped Active Directory information and created RAR archives, which were later deleted, Lunghi wrote.
‘Green Nailao’ Used Against Health Care in Europe
For their part, Cyberdefense researchers tracked a threat activity cluster between June and October 2024 that targeted European organizations, particularly in the health care field, though they added they believe there were more victims around the world and in different sectors. They dubbed the campaign “Green Nailao” and wrote that they couldn’t attribute the campaign to a particular bad actor.
In four cases, the attackers gained access into victims’ networks by exploiting a now-patched 0-day security flaw – tracked as CVE-2024-24919 – in Check Point VPN appliance Security Gateways with Remote Access VPN or Mobile Access features enabled, Pichon and Bonnefoi wrote.
As with the campaigns Trend Micro investigated, those tracked by Cyberdefense used ShadowPad and PlugX tools that they wrote are “often associated with China-nexus targeted intrusions.” The ransomware, NailaoLocker, is then deployed and used to encrypt files and to issue a ransom note demanding cryptocurrency.
The researchers described NailaoLocker as “relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption.” Among the things the ransomware doesn’t do is scan network shares, stop services or processes that could prevent the malware from reach some important files and doesn’t control whether it is being debugged.
Motivation Uncertain
They said they were unsure if the data encryption and ransom demand were used to distract victims and researchers from the real intent of stealing data – though “the targets lacked strategic significance,” the researchers wrote – or to both steal data and use ransomware to extort money. Traditionally, espionage and financially-driven are common among North Korean groups but rarer elsewhere.
As with Symantec’s case, combining the two may have been a case of an espionage actor using this toolset to make some money.
