APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2

Cybersecurity researchers have uncovered a sophisticated cyber espionage campaign orchestrated by Silver Dragon, an advanced persistent threat (APT) group linked to the notorious APT41, targeting government entities across Europe and Southeast Asia since mid-2024.

Initial Access and Persistence Mechanisms

Silver Dragon employs a multi-faceted approach to gain initial access to target systems. The group primarily exploits public-facing internet servers and deploys phishing emails containing malicious attachments. Once inside a network, they establish persistence by hijacking legitimate Windows services, allowing malware processes to blend seamlessly into normal system activity.

Three Distinct Infection Chains

Check Point researchers identified three different infection chains used to deliver Cobalt Strike beacons:

AppDomain Hijacking and Service DLL Chains

The first two infection chains demonstrate clear operational overlap. Both are delivered via compressed archives, suggesting their use in post-exploitation scenarios following the compromise of publicly exposed vulnerable servers.

AppDomain Hijacking Chain:

• Uses a RAR archive containing a batch script
• Drops MonikerLoader, a .NET-based loader
• MonikerLoader decrypts and executes a second-stage payload directly in memory
• The second stage acts as a conduit for loading the final Cobalt Strike beacon

Service DLL Chain:

• Also uses a batch script within a RAR archive
• Delivers BamboLoader, a shellcode DLL loader registered as a Windows service
• BamboLoader is a heavily obfuscated C++ malware
• Decrypts and decompresses shellcode staged on disk
• Injects the shellcode into legitimate Windows processes like "taskhost.exe"
• The target binary for injection is configurable within BamboLoader

Phishing Campaign Targeting Uzbekistan

The third infection chain involves a sophisticated phishing campaign primarily targeting Uzbekistan with malicious Windows shortcuts (LNK) as attachments.

Attack Flow:

1. Weaponized LNK file launches PowerShell code via "cmd.exe"
2. Extracts and executes next-stage payloads
3. Deploys four key components:
   • Decoy document (displayed to victim)
   • Legitimate executable vulnerable to DLL side-loading ("GameHook.exe")
   • Malicious DLL ("graphics-hook-filter64.dll")
   • Encrypted Cobalt Strike payload ("simhei.dat")

In this campaign, the decoy document is displayed to the victim while, in the background, the rogue DLL is side-loaded via "GameHook.exe" to ultimately launch Cobalt Strike.

Post-Exploitation Tools and Google Drive C2

Silver Dragon's arsenal includes several sophisticated post-exploitation tools, with a particular emphasis on Google Drive-based command-and-control infrastructure.

SilverScreen

• .NET screen-monitoring tool
• Captures periodic screenshots of user activity
• Includes precise cursor positioning tracking

SSHcmd

• .NET command-line SSH utility
• Provides remote command execution capabilities
• Enables file transfer over SSH connections

GearDoor Backdoor

• .NET backdoor sharing similarities with MonikerLoader
• Communicates with C2 infrastructure via Google Drive
• Authenticates to attacker-controlled Google Drive account
• Uploads heartbeat files containing basic system information

Google Drive Communication Protocol: GearDoor uses different file extensions to indicate the nature of tasks to be performed:

• ***.png** - Send heartbeat files
• ***.pdf** - Receive and execute commands, list directory contents, create directories, remove files
• ***.cab** - Receive and execute commands for host information gathering, process enumeration, file operations, command execution, file uploads, and implant termination
• ***.rar** - Receive and execute payloads ("wiatrace.bak" triggers self-update)
• ***.7z** - Receive and execute plugins in memory

Results of operations are uploaded using corresponding file extensions: *.db for PDF operations, *.bak for CAB and RAR operations, and *.bak for 7z plugin execution.

APT41 Connection and Technical Analysis

Silver Dragon's links to APT41 are established through several technical indicators:

1. Tradecraft overlaps with post-exploitation installation scripts previously attributed to APT41
2. The decryption mechanism used by BamboLoader has been observed in shellcode loaders linked to China-nexus APT activity
3. Similar operational patterns and targeting preferences

Evolving Threat Landscape

"The group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns," Check Point researchers noted. "The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group."

Technical Indicators

File Hashes:

• BamboLoader: [SHA256 hash]
• MonikerLoader: [SHA256 hash]
• Cobalt Strike payloads: [SHA256 hashes]

C2 Infrastructure:

• Google Drive accounts used for command-and-control
• Multiple domain names for initial access
• DNS tunneling for covert communication

Target Profile:

• Government entities in Europe and Southeast Asia
• Primarily focused on diplomatic, defense, and intelligence sectors
• Secondary targeting of telecommunications and technology companies

Mitigation Strategies

Organizations can protect against Silver Dragon attacks through several measures:

1. Patch Management:

   • Regularly update and patch public-facing servers
   • Implement vulnerability management programs
   • Monitor for exploitation attempts

2. Email Security:

   • Deploy advanced email filtering solutions
   • Train users to recognize phishing attempts
   • Implement DMARC, SPF, and DKIM authentication

3. Network Monitoring:

   • Monitor for unusual DNS tunneling activity
   • Implement network segmentation
   • Deploy endpoint detection and response (EDR) solutions

4. Application Whitelisting:

   • Restrict execution of unauthorized applications
   • Monitor for DLL side-loading attempts
   • Implement application control policies

Conclusion

Silver Dragon represents a significant evolution in APT41's operational capabilities, demonstrating sophisticated techniques for maintaining persistence, evading detection, and establishing resilient command-and-control infrastructure. The group's use of Google Drive for C2 communication, combined with their multi-faceted infection chains and post-exploitation tools, makes them a formidable threat to government and critical infrastructure organizations.

The campaign underscores the importance of comprehensive cybersecurity measures, including regular patching, user education, and advanced threat detection capabilities. As APT groups continue to evolve their tactics, organizations must remain vigilant and adapt their defenses accordingly.