Hackers target Pakistani government, bank and telecom provider with China-made malware

An unknown hacker group compromised a Pakistani government app to infect victims with the China-linked Shadowpad malware, researchers have found.

Cybersecurity firm Trend Micro identified three entities in Pakistan targeted by Shadowpad last year: an unnamed government agency, a state bank and a telecommunications provider.

The researchers believe it may have been a supply-chain attack, where hackers compromise third-party software to gain access to their desired targets.

In the incident, hackers modified a Microsoft installer built by a Pakistani government entity for the E-Office app, which helps the country’s public agencies to go paperless.

This app is intended for government bodies only and is not publicly available.

“It enforces our belief that the incident could be a supply-chain attack,” the researchers said.

Hackers added three files to the legitimate Microsoft installer to sideload a malicious payload.

Shadowpad is an advanced malware family first discovered in 2017 after a supply-chain attack on a popular computer cleanup tool called CCleaner. The malware is believed to have been developed by a Chinese espionage threat actor known as APT41, or Barium.

Researchers said they didn’t find enough evidence to attribute this attack to a known threat actor, but the fact that hackers had access to a recent version of Shadowpad potentially links it to the nexus of Chinese threat groups, Trend Micro said.

Shadowpad is a shared malware family and since 2019 has been distributed among multiple Chinese espionage threat actors, including Earth Akhlut or Earth Lusca, which makes attribution complicated.

In one of the victim’s environments, researchers found multiple malware families that they can attribute “with high confidence” to the Chinese hacking group Calypso.

In June, a previously unknown Chinese-speaking threat actor exploited a vulnerability in Microsoft Exchange Server to target the telecommunications, manufacturing, and transport sectors in Afghanistan, Malaysia, and Pakistan with Shadowpad malware.

During these attacks, the Shadowpad backdoor was downloaded onto the attacked computers under the guise of legitimate software.

“The Shadowpad authors continue to update their piece of malware, making its reverse engineering more difficult,” researchers said. “We expect to see more threat actors using this updated Shadowpad version in the future.”