Silver Dragon APT Targets Govs via Google Drive C2

by CyberNewsAI Admin
Silver Dragon APT Targets Govs via Google Drive C2
Threat IntelligenceVulnerability WatchCloud Defense

Executive Summary

A newly identified threat actor, designated Silver Dragon, has been linked to the prolific APT41 umbrella and is conducting cyber espionage campaigns against government entities in Europe and Southeast Asia. Active since at least mid-2024, the adversary leverages multiple sophisticated infection chains to deliver Cobalt Strike beacons. A key finding is the group's use of a custom backdoor, GearDoor, which utilizes Google Drive for command-and-control (C2) communications, indicating an evolution in TTPs to evade network-based detection.

Key Findings

Threat Actor Profile

Silver Dragon is assessed as a sub-group or affiliate operating under the APT41 framework, a China-nexus threat actor known for both espionage and financially motivated attacks. This campaign primarily focuses on government targets, consistent with state-sponsored espionage objectives. The adversary demonstrates a high level of operational capability, continuously evolving its toolset across campaigns.

Initial Access Vectors

The adversary gains initial footholds through two primary vectors:

Exploitation of Public-Facing Services: Compromising vulnerable internet-facing servers to deploy initial payloads.

Phishing Campaigns: Delivering emails with malicious Windows Shortcut (LNK) attachments, primarily observed in campaigns targeting Uzbekistan.

For persistence, the group hijacks legitimate Windows services, allowing malware to blend with normal system activity.

Technical Analysis: Infection Chains

Chain 1: AppDomain Hijacking

This chain, likely used in post-exploitation scenarios, begins with a RAR archive containing a batch script. The script deploys MonikerLoader, a .NET loader that decrypts and executes a second-stage payload directly in memory. This second stage, in turn, acts as a loader for the final Cobalt Strike beacon.

Chain 2: Service DLL

Similar to the first chain, this vector uses a batch script from a compressed archive. It delivers BamboLoader, a heavily obfuscated C++ shellcode loader. BamboLoader is registered as a new Windows service and is configured to decrypt shellcode from disk and inject it into a legitimate, configurable Windows process such as taskhost.exe.

Chain 3: Phishing LNK Chain

A weaponized LNK file executes PowerShell via cmd.exe, extracting and running four files:

  • A decoy document to distract the victim.
  • A legitimate executable, GameHook.exe, vulnerable to DLL side-loading.
  • A malicious DLL named graphics-hook-filter64.dll (an instance of BamboLoader).
  • An encrypted Cobalt Strike payload named simhei.dat.

The legitimate GameHook.exe is executed, which then side-loads the malicious DLL, ultimately launching the Cobalt Strike payload.

Post-Exploitation Arsenal

Custom Tooling

  • SilverScreen: A .NET screen-monitoring tool that captures periodic screenshots of user activity, including cursor positions.
  • SSHcmd: A .NET command-line utility for remote command execution and file transfer over SSH.
  • GearDoor: A .NET backdoor that uses Google Drive for C2. It shares code similarities with MonikerLoader.

C2 Analysis: Google Drive

The GearDoor backdoor authenticates to an attacker-controlled Google Drive account and uses specific file extensions to receive tasks and exfiltrate data:

  • * .png: Used to upload heartbeat files containing basic system information.
  • *.pdf: Tasking for command execution and directory operations. Results are uploaded as .db files.
  • *.cab: Tasking for host reconnaissance, process enumeration, and file uploads. Status is reported in .bak files.
  • *.rar: Tasking for payload execution. A file named wiatrace.bak triggers a self-update routine.
  • *.7z: Tasking to execute plugins in memory.

Mitigation & Recommendations

  • Patch Management: Aggressively patch public-facing applications and servers to mitigate initial access via exploitation.
  • Email Security: Implement robust email filtering to block malicious attachments, including LNK files and compressed archives containing scripts.
  • Application Control: Use application allowlisting to prevent the execution of unauthorized loaders (MonikerLoader, BamboLoader) and scripts.
  • Egress Traffic Monitoring: Monitor for and alert on anomalous outbound traffic to public cloud services like Google Drive, inspecting API calls and data patterns for C2 activity.
  • Endpoint Detection & Response (EDR): Deploy EDR solutions to detect TTPs such as process injection (e.g., into taskhost.exe), DLL side-loading, and in-memory payload execution.
  • Threat Hunting: Hunt for associated tool names and file artifacts, such as GameHook.exe, graphics-hook-filter64.dll, and simhei.dat.

// INTELLIGENCE_SOURCES

[The Hacker News]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW