Sweeping ShadowSilk attacks target Central Asia, Asia-Pacific

Almost three dozen organizations across Central Asia and Asia-Pacific, most of which are government agencies, have been targeted by Russian- and Chinese-speaking threat operation ShadowSilk in data exfiltration attacks, The Hacker News reports. Malicious spear-phishing emails have been leveraged by ShadowSilk which overlaps with YoroTrooper, SilentLynx, and SturgeonPhisher to deploy ZIP archives launching a loader that uses Telegram bots for command-and-control traffic concealment and further payload delivery, according to an analysis from Group-IB. ShadowSilk has also utilized Drupal and WP-Automatic WordPress plugin flaws to infiltrate targeted networks, which are then compromised with multiple web shells, including Godzilla, ANTSWORD, and FinalShell, as well as the Resocks and Chisel utilities for lateral movement, privilege escalation, and remote access trojan deployment. "Recent behavior indicates that the group remains highly active, with new victims identified as recently as July," said Group-IB, which stressed the value of persistently monitoring ShadowSilk's attack infrastructure.