A previously undocumented threat group has been targeting European organizations, especially within the healthcare sector, deploying a series of malware known as PlugX, ShadowPad, and, in some instances, a ransomware variant named NailaoLocker.
The campaign,referred to as ‘Green Nailao’ by Orange Cyberdefense CERT, took place from June to October 2024, exploiting a recently-patched vulnerability in Check Point network gateway security products (CVE-2024-24919).
The attackers initially exploited the vulnerability to gain access to systems, and pilfer user credentials and connect to the organization's VPN with legitimate accounts. The campaign used a technique known as DLL search-order hijacking to deploy two types of malware: PlugX and its successor, ShadowPad. These two implants have historically been linked to Chinese-aligned espionage activities.
In the early phase of the attack, threat actors conducted network reconnaissance and lateral movement via Remote Desktop Protocol (RDP) to escalate their privileges. Subsequently, they executed a legitimate binary, "logger.exe," to sideload a malicious DLL file, "logexts.dll," which acted as a loader for ShadowPad. In a similar campaign detected in August 2024, attackers used PlugX, which also utilized DLL side-loading, but through a McAfee executable, "mcoemcpy.exe," to load "McUtil.dll."
The malware established persistent remote access to victim systems and was used in attempts to exfiltrate data. Later stages of the attack involved Windows Management Instrumentation (WMI) to transfer files, including "usysdiag.exe" (a legitimate executable signed by a Beijing-based technology company), the loader "sensapi.dll," and the ransomware payload "usysdiag.exe.dat," which contains NailaoLocker.
Once deployed, NailaoLocker, which is a C++-based ransomware, encrypted files on infected systems, appending the ".locked" extension and leaving a ransom note demanding payment in Bitcoin or contact via a Proton Mail address. Despite its functionality as ransomware, NailaoLocker was described as "unsophisticated and poorly designed," lacking certain key features typical of more advanced ransomware. It does not scan network shares, disable critical system processes, or check for debugging activities.
Orange Cyberdefense CERT attributed this activity to a Chinese-aligned threat actor with medium confidence, based on the use of ShadowPad, DLL side-loading techniques, and the similarities with ransomware operations linked to another Chinese group, Bronze Starlight. Additionally, the use of the "usysdiag.exe" loader had been observed in prior attacks attributed to the Cluster Alpha threat group (also known as STAC1248), which is also linked to China.
The exact motivations behind the campaign remain unclear, but researchers speculate that the threat group may be engaging in opportunistic attacks aimed at gaining quick financial profit through ransomware while also positioning themselves for potential future espionage activities.