HQ/EMEAFind out how we can help your business
The Redfly hackers have allegedly attacked an electric grid company in Asia using the Shadowpad malware earlier this year. Reports claimed that the hackers also utilised keyloggers and specialised file launchers to execute their attacks.
Moreover, the threat actors employed a sophisticated toolset, a variant of ShadowPad, to operate their campaign. They used the variant to disguise their malware as VMware files and drop them onto the victim’s filesystem.
The attackers created services named after VMware to establish within the compromised network. They configured the fake VMware service to launch the malicious executable and DLL during system boot.
ShadowPad played a vital role in the success of Redfly hackers.
The ShadowPad RAT allowed the Redfly hackers to execute various malicious activities during its campaigns. The RAT’s abilities include recording keystrokes, file scanning, remote command execution, and a C2 server.
However, the main reason most hackers employ ShadowPad is that it has anonymity, which makes it difficult for threat analysts to track its operators. The Redfly hackers have also adopted a separate keylogging tool to capture and log keystrokes on their compromised systems, which they retrieve manually.
Furthermore, these hackers have used the Packerloader to load and run shellcode within AES-encrypted files, which could evade AV software solutions. They have also employed this tool to modify driver file permissions, generate credential dumps in the Windows registry, and remove Windows security event logs.
Redfly has also added PowerShell in its campaigns to execute commands to gather detailed information about specific storage devices on the infected systems. On the other hand, the actors used DLL sideloading techniques to move laterally within the compromised network.
Lastly, these hackers employed renamed versions of notorious tools like ProcDump to retrieve credentials from the LSASS and use them for authentication on adjacent systems.
Redfly’s successful campaigns have spanned about six months. This detail indicates that the attackers want an under-the-radar campaign while harvesting valuable intelligence. Unfortunately, Redfly hackers’ primary objective is still unclear, but it poses a significant threat to various industries.
