A newly discovered cyber threat group has been targeting European organizations, particularly in the healthcare sector, using PlugX and its successor, ShadowPad. In some instances, these intrusions have escalated to deploying a ransomware strain known as NailaoLocker.
This cyber campaign, identified as Green Nailao by Orange Cyberdefense CERT, took advantage of a recently patched security vulnerability in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The observed attacks took place between June and October 2024.
“The attackers used DLL search-order hijacking to deploy ShadowPad and PlugX—both of which are commonly linked to Chinese state-backed cyber activities.
Exploitation of Check Point Vulnerability
By exploiting unpatched Check Point instances, the attackers managed to obtain user credentials, allowing them to connect to the network through a legitimate VPN account.
Following initial access, the threat actors conducted network reconnaissance and lateral movement via Remote Desktop Protocol (RDP) to escalate privileges. They then executed a legitimate binary (“logger.exe”) to sideload a rogue DLL (“logexts.dll”), which functioned as a loader for an advanced version of the ShadowPad malware.
Previous attacks detected in August 2024 followed similar techniques to deploy PlugX. This included using a McAfee executable (“mcoemcpy.exe”) to sideload “McUtil.dll,” a key component in the infection process.
ShadowPad’s Role in Espionage
ShadowPad, a malware strain sold privately to advanced threat actors, has been linked to Chinese cyber espionage since at least 2015. The version identified by Orange Cyberdefense CERT features enhanced obfuscation, anti-debugging techniques, and remote server communication to maintain persistent access to compromised systems.
Evidence suggests that the attackers attempted to extract sensitive data by navigating the file system and creating ZIP archives. The attack chain concluded with the use of Windows Management Instrumentation (WMI) to deploy three key files:
A genuine executable file from Beijing Huorong Network Technology Co., Ltd. (usysdiag.exe).
A loader named NailaoLoader (“sensapi.dll”).
The ransomware payload NailaoLocker (“usysdiag.exe.dat”).
NailaoLocker Ransomware: A Less Sophisticated Threat
Once the malware is sideloaded via “usysdiag.exe,” it decrypts and executes NailaoLocker. This ransomware, developed in C++, encrypts files, appends a “.locked” extension, and leaves a ransom note demanding Bitcoin payments or contact via a Proton Mail address.
Despite its impact, researchers Marine Pichon and Alexis Bonnefoi noted that NailaoLocker is relatively basic and poorly designed.
“It does not scan network shares, halt services, or terminate processes that could obstruct the encryption of crucial files,” they explained. “Additionally, it lacks built-in mechanisms to detect if it’s being analyzed or debugged.”
Attribution and Possible Motives
Orange Cyberdefense CERT has attributed the attack to a China-aligned threat group with medium confidence. This assessment is based on the presence of the ShadowPad implant, the use of DLL sideloading techniques, and similarities with past ransomware campaigns linked to the Chinese hacking group Bronze Starlight.
Further connections were made to Cluster Alpha (aka STAC1248), a Chinese-linked cyber intrusion set previously observed by Sophos, which also leveraged “usysdiag.exe” to sideload additional payloads.
While the exact motives behind this campaign remain unclear, researchers speculate that financial gain may be a driving factor.
“The stark contrast in sophistication between ShadowPad and NailaoLocker suggests that the attackers might be looking for quick financial returns while simultaneously maintaining access to valuable information systems,” researchers concluded. “Such campaigns often start opportunistically but can later serve as entry points for more advanced cyber operations.”
With growing cyber threats targeting critical sectors, organizations are advised to promptly patch vulnerabilities, monitor for suspicious activity, and implement robust security measures to prevent unauthorized access and data breaches.
