Full Report
Orange CyberDefense identified a sophisticated threat cluster, dubbed Green Nailao, targeting European organizations, with a particular focus on... The post Green Nailao cyber threat targets European healthcare with advanced tactics, undocumented ransomware appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Green Nailao (NailaoLocker Operator)
## Attribution & Identity
The threat cluster is tracked as **Green Nailao** (Nailao meaning ‘cheese’ in Chinese). Orange CyberDefense assesses with **medium confidence** that this cluster aligns with typical **China-nexus intrusion sets**, based on the use of the ShadowPad backdoor. The actor deployed a previously undocumented ransomware payload dubbed **NailaoLocker**.
## Activity Summary
The Green Nailao cluster was active between June and October of the previous year, focusing primarily on European organizations. The activity centered around initial compromise via the exploitation of Check Point Security Gateways. Following initial access, the actors deployed ShadowPad and PlugX backdoors, leading in some cases to the deployment of the custom NailaoLocker ransomware.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of **CVE-2024-24919** (a critical vulnerability affecting Check Point Security Gateways with VPN features) to retrieve local account password hashes and connect using legitimate credentials.
- **Deployment/Execution:**
- Employed **DLL search-order hijacking** to establish backdoors.
- Used a legitimate binary (`logger.exe`) to side-load a malicious DLL (`logexts.dll`), which copied an encrypted payload from the registry, injected it into another process, and maintained persistence via a created service or startup task (associated with ShadowPad).
- Used a legitimate McAfee executable (`mcoemcpy.exe`) to side-load a malicious DLL (`McUtil.dll`) for PlugX distribution.
- **Persistence/Defense Evasion:**
- ShadowPad leveraged **Windows services and registry keys** for persistence, featuring complex obfuscation and anti-debugging measures.
- PlugX loader created a **Windows service for persistence** and attempted privilege escalation using `SeDebugPrivilege` token APIs.
- **Lateral Movement:** Primarily conducted network reconnaissance and lateral movement using **RDP**.
- **Payload Delivery:** Delivered ShadowPad, PlugX, and the undocumented **NailaoLocker** ransomware.
## Targeting
- **Sectors:** Healthcare (primary focus), other sectors targeted globally.
- **Geography:** European organizations.
- **Victims:** Several European organizations, including entities in the healthcare vertical.
## Tools & Infrastructure
- **Malware families used:**
- **ShadowPad:** Noted a new, obfuscated variant.
- **PlugX:** Observed utilizing a workflow linked to a leaked PlugX builder.
- **NailaoLocker:** Undocumented custom ransomware payload.
- **Infrastructure (C2, domains, IPs):** ShadowPad was observed establishing communication with a C2 server for discreet access, independent of VPN access. (No specific defanged URLs/IPs provided in the source text).
## Implications
The Green Nailao campaign demonstrates an advanced intrusion set linking established, sophisticated Chinese espionage tools (ShadowPad) with the deployment of novel, likely for-profit ransomware (NailaoLocker). This suggests either espionage groups monetizing their access or financially-motivated actors leveraging high-end espionage toolkits. The reliance on a critical, unpatched vulnerability (CVE-2024-24919) for initial access highlights weaknesses in securing perimeter appliances.
## Mitigations
- Apply security patches immediately, especially for critical vulnerabilities like CVE-2024-24919 affecting VPN appliances (Check Point Security Gateways).
- Monitor for suspicious use of legitimate binaries (`logger.exe`, `mcoemcpy.exe`) alongside malicious DLL side-loading techniques.
- Implement strong monitoring for persistence mechanisms involving newly created services or startup tasks.
- Maintain defense against established backdoors like ShadowPad and PlugX, which often indicate advanced threat actors.