Orange CyberDefense identified a sophisticated threat cluster, dubbed Green Nailao, targeting European organizations, with a particular focus on the healthcare sector between June and October last year. The campaign, tracked by the Orange CyberDefense CERT, employed DLL search-order hijacking to deploy the notorious ShadowPad and PlugX implants, both of which are frequently linked to China-nexus cyber intrusions. The ShadowPad variant uncovered in this operation was notably obfuscated, leveraging Windows services and registry keys to ensure persistence within compromised systems.
Through comprehensive incident response engagements, it was discovered that the Green Nailao attackers had also deployed an undocumented ransomware payload. This was facilitated by exploiting CVE-2024-24919, a critical vulnerability found in Check Point Security gateways, underscoring the advanced tactics and persistent threat posed by this cluster.
“All four cases used a similar initial access vector consisting of the compromise of a Check Point VPN appliance,” Marine Pichon and Alexis Bonnefoi, detailed in an Orange CyberDefense blog post this week. “Our Incident Responders assess with medium confidence this was managed by the exploitation of CVE-2024-24919, a critical 0-day vulnerability affecting Check Point Security Gateways that have Remote Access VPN or Mobile Access features enabled. Patched in May 2024 but exploited in the wild since early April 2024 at least, the flaw enables threat actors to read certain information on gateways, and most importantly enumerate and extract password hashes for all local accounts.”
They added that due to the fact all observed Check Point instances were still vulnerable at the time of their compromise, CVE-2024-24919 likely enabled the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account.
Tracked as Green Nailao (‘Nailao’ meaning ‘cheese’ in Chinese), the campaign impacted several European organizations, including in the healthcare vertical, during the second half of 2024. Orange CyberDefense believes this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.
“Somewhat similar TTPs and payloads have been publicly mentioned in a write-up from HackersEye’s DFIR team,” the researchers observed. “In at least two cases, the intrusion ended up with the execution on victims’ systems of a custom, previously undocumented ransomware payload we dubbed NailaoLocker.”
The researchers detailed that the Green Nailao hackers carried out network reconnaissance and lateral movement mostly through RDP, in an effort to obtain additional privileges. The threat actors were observed manually executing a legitimate binary ‘logger[dot]exe’ to side-load a malicious DLL, ‘logexts[dot]dll.’ When executed, the DLL copies an adjacent encrypted payload.
This payload is then deleted by the hackers, retrieved by the DLL from the registry key, and injected into another process. “Finally, a service or a startup task is created to run logger.exe and maintain system persistence. Upon analysis, we were able to associate ‘0EEBB9B4[dot]tmp’ to a new version of the infamous ShadowPad malware (with the DLL acting as its loader),” the post added.
“It should be noted we also observed very similar TTPs used to distribute PlugX around August 2024. In this specific case, threat actors used a legitimate McAfee executable called ‘mcoemcpy[dot]exe’ to side-load a malicious DLL (‘McUtil[dot]dll’),” Pichon and Bonnefoi highlighted. “The DLL creates a Windows service for persistence and attempts to escalate privileges by using token-related APIs to grant itself the SeDebugPrivilege token.”
They added that the loader then decrypts a third, highly obfuscated file called ‘Mc[dot]cp’ and injects the extracted shellcode into a launched but suspended process. Once injected, the process resumes execution to run the shellcode in memory. These three files correspond to the ‘PlugX trinity’ execution workflow that can be created using one of the leaked PlugX builder available online.
The researchers detail that ShadowPad is known for its usage in cyberespionage campaigns against government entities, academic institutions, energy organizations, think tanks, or technology companies. “This modular backdoor is suspected to be privately shared or sold among Chinese APTs since 2015 at least. In our cases, we identified what we believe is a new variant of ShadowPad featuring complexified obfuscation and anti-debug measures,” they added.
ShadowPad was observed establishing communication with a C2 server to create a discreet access point within the victims’ information systems that is independent of VPN access. In fact, we observed in some cases more than two weeks between these first stages of compromise and post-exploitation activities. It should also be noted that we retrieved indications that several ShadowPad backdoors were installed on different machines belonging to the same organization.
The Orange CyberDefense researchers assessed with medium confidence that the Green Nailao cluster aligns with typical Chinese intrusion sets. This assessment is based on the use of ShadowPad, an implant almost exclusively associated with Chinese-targeted intrusion operations to date. The adoption of consistent TTPs, notably three-file execution chains with DLL search-order hijacking to execute the payloads (i.e., a legitimate executable vulnerable to DLL side-loading, a DLL loader, and an encrypted payload). SecureWorks attributes some of these three-file execution chains to the BRONZE UNIVERSITY Chinese APT.
Additionally, some weak TTP overlaps were found with Cluster Alpha (STAC1248), a cluster mentioned in the 2023 Crimson Palace operation detailed by Sophos.
The researchers were able to propose several hypotheses regarding the ultimate goals of the Green Nailao campaign. These include that the encryption and ransom demand could be used as a vocal false-flag distraction shifting attention away from the actual, more stealth goal of data exfiltration. Yet, the targets lacked strategic significance, making the attack an anomaly given the effort to obscure its intent. Additionally, the ransomware deployment poorly concealed the espionage-related backdoors.
Also, they believed that Green Nailao ransomware is a way to kill two birds with one stone, with strategic data theft operations doubled with a profitable financially motivated extortion scheme. “This combination, which for instance characterizes many North Korean cyberattacks, could aim at financing more strategic operations from the threat actors. Yet, based on our analysis of one of the wallets associated to the cluster, the latter do not appear to have made a lot of money with their cyberattacks.”
The post also detailed that ransomware is ‘on the side’ moonlighting profitable schemes from a threat actor belonging to an advanced Chinese cyberespionage group or having access to its intrusion toolkit. “This could help explaining the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad’s loading techniques. This same hypothesis was also put forward by Symantec researchers and might be the most likely.”
Pichon and Bonnefoi wrote that the targeting of healthcare-related entities by state-aligned groups, including from China, is not new. “As recalled in the French National Cybersecurity Agency’s (ANSSI) Threat landscape for the healthcare sector, while such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations.”
Additionally, researchers from Mandiant for instance observed APT41 targeting U.S. pharmaceutical entities in early 2020, meanwhile, APT18 or APT10 have been historically tied to even older breaches affecting this vertical.
In their conclusion, the researchers detailed that they were able to document a new threat for European organizations. “Suspected to emanate from a China-nexus intrusion set, the campaign we track as Green Nailao revealed new insights on the ShadowPad backdoor which had never been publicly linked to ransomware delivery before. This report also detailed a new ransomware payload we named NailaoLocker.”
They added that while the Green Nailao campaign seems to remain limited in terms of volume, it highlights the importance for organizations to apply security patches as soon as they are released.
