Chinese threat group Moshen Dragon has been targeting antivirus apps to facilitate malicious DLL sideloading, reports SecurityWeek
SentinelOne researchers revealed that various security apps from BitDefender, Trend Micro, McAfee, Symantec, and Kaspersky have been exploited by Moshen Dragon to deploy PlugX and ShadowPad
malware, with the threat actor depending on DLL search order hijacking. Other tools have also been delivered by the threat group, including the GUNTERS loader and a credential harvesting tool, according to researchers.However, the main infection vector for the attacks of Moshen Dragon has remained a mystery for the researchers.Meanwhile, more ShadowPad and PlugX variants possibly leveraged by Moshen Dragon have also been observed to have overlapped with the campaign.
"PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity. Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products," said SentinelLabs.