The Symantec research team uncovered an espionage campaign from the #APT group they track as #Redfly. The group used multiple tools during the campaign which included the #ShadowPad trojan, #Packerloader, and a key logger. They also abused some #LOLBINs to achieve their goals.

Redfly masqueraded ShadowPad in a "VMware" directory and gained persistence by creating a service that ran the malware once the computer started and the keylogger stored its captured keystrokes in a directory that included "Intel" in the path. The APT group used the reg.exe to dump credentials from he SYSTEM, SAM, and SECURITY hive. They also used a renamed version of ProcDump to dump credentials from LSASS. Powershell was also used to gather information on the storage devices attached to the system and finally a scheduled task was created to preform side-loading and lateral movement. #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday