FOCUS MODE
EXTRACT IOC
Threat Research

Operation FishMedley

ESET-welivesecurity
Operation FishMedley
The US Department of Justice has indicted employees of the Chinese contractor I‑SOON for conducting espionage campaigns, particularly targeting governments, NGOs, and think tanks through the FishMonger APT group. The campaign, termed Operation FishMedley, involved complex techniques and tools typically used by China-aligned threat actors, leading to the compromise of several organizations across various continents. Affected: I-SOON, FishMonger APT group, governments, NGOs, think tanks

Key points:

  • US DOJ indicted I‑SOON employees for global espionage operations.
  • The FishMonger APT group is attributed to these operations.
  • Targets included governmental organizations, NGOs, and think tanks across multiple regions.
  • Malicious implants like ShadowPad, Spyder, and SodaMaster were widely utilized.
  • The indictment aligns with earlier documented espionage activities identified in 2022.

MITRE Techniques:

  • T1583.004 – Acquire Infrastructure: Server – FishMonger rented servers from various hosting providers.
  • T1583.001 – Acquire Infrastructure: Domains – Domains were purchased for command and control (C&C) traffic.
  • T1059.001 – Command-Line Interface: PowerShell – ShadowPad was downloaded using a PowerShell command.
  • T1059.003 – Command-Line Interface: Windows Command Shell – Spyder was deployed via a BAT script.
  • T1072 – Software Deployment Tools – Local admin console access allowed commands to be executed on victim networks.
  • T1543.003 – Create or Modify System Process: Windows Service – Some SodaMaster loaders persisted as Windows services.
  • T1574.002 – Hijack Execution Flow: DLL Side-Loading – ShadowPad loading was achieved through DLL side-loading by a legitimate executable.
  • T1140 – Deobfuscate/Decode Files or Information – Malicious files like ShadowPad, Spyder, and SodaMaster were decrypted at runtime.
  • T1555.003 – Credentials from Password Stores: Credentials from Web Browsers – SodaMaster loaders extracted passwords from Firefox.
  • T1556.002 – Modify Authentication Process: Password Filter DLL – A custom password filter DLL was used to potentially exfiltrate passwords.
  • T1003.001 – OS Credential Dumping: LSASS Memory – LSASS memory was dumped using specific commands.
  • T1003.002 – OS Credential Dumping: Security Account Manager – The security account manager was dumped to gather credentials.
  • T1087.001 – Account Discovery: Local Account – Accounts were discovered using the net user command.
  • T1016 – System Network Configuration Discovery – Network configuration was retrieved using the ipconfig command.
  • T1007 – System Service Discovery – Currently running services were listed with the tasklist command.
  • T1057 – Process Discovery – Ongoing processes were analyzed using the tasklist command.
  • T1021.002 – Remote Services: SMB/Windows Admin Shares – Malware was deployed to local networks via SMB.
  • T1095 – Non-Application Layer Protocol – ShadowPad communicated using raw TCP and UDP.

Indicator of Compromise:

  • [File] log.dll
  • [File] task.exe
  • [File] DeElevator64.dll
  • [File] DrsSDK.dll
  • [File] sasetup.dll

Full Story: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/

Tags: DEFENSE EVASION, INITIAL ACCESS, PRIVILEGE, TOOL, BACKDOOR, CREDENTIAL, DISCOVERY, PROXY