Novel threat operation RedFly has targeted an unnamed Asian country's national grid with the ShadowPad malware, also known as PoisonPlug, enabling credential theft and extensive computer compromise over a six-month period, according to The Hacker News.
Initial compromise of the power grid commenced with the execution of ShadowPad in a single computer on Feb. 23, a report from the Symantec Threat Hunter Team showed.
ShadowPad was then executed again on May 17, coinciding with the distribution of the Packerloader tool with arbitrary shellcode execution capabilities. Several PowerShell commands were then leveraged by RedFly to obtain storage device data and enable Windows Registry credential dumping while removing security logs before LSASS credentials were dumped before the end of May.
Attackers were later discovered to perform keylogger installation and LSASS and Registry credential extraction from July 27 to Aug. 3.
Infrastructure and tooling used in the new attack resembled those of Chinese state-backed threat operation APT41, also known as Winnti, said researchers.