Silver Dragon Targets Organizations in Southeast Asia and Europe

Key Takeaways

• Silver Dragon, a Chinese-nexus APT likely linked to APT41, is targeting government entities in Southeast Asia and Europe.
• Initial access is achieved via public-facing server exploits and phishing emails delivering malicious LNK files.
• The group utilizes AppDomain Hijacking and Windows Service manipulation to deploy custom loaders (MonikerLoader and BamboLoader) that execute Cobalt Strike.
• A novel .NET backdoor named GearDoor was discovered, which uses Google Drive as a covert Command and Control (C2) channel.
• Custom post-exploitation tools include SilverScreen for stealthy screen monitoring and SSHcmd for remote command execution.

Affected Systems

• Windows OS
• Public-facing internet servers

Attack Chain

Silver Dragon gains initial access by exploiting public-facing servers or delivering phishing emails with malicious LNK attachments. Upon execution, batch scripts deploy custom loaders (MonikerLoader or BamboLoader) that establish persistence via AppDomain hijacking or Windows service manipulation. These loaders decrypt and inject Cobalt Strike beacons into memory for primary C2, often utilizing DNS tunneling. For post-exploitation, the group deploys custom tools including SilverScreen for screen capture, SSHcmd for remote access, and GearDoor, a backdoor that leverages Google Drive for stealthy C2 communication.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide any ready-to-use detection rules (YARA, Sigma, etc.), but it does provide detailed IOCs and behavioral descriptions for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should readily detect service creation/modification, AppDomain hijacking via unexpected .config files in .NET directories, and process injection into taskhost.exe. Network Visibility: Medium — DNS tunneling for Cobalt Strike can be detected via query volume analysis, but GearDoor's use of Google Drive API blends in with legitimate HTTPS traffic. Detection Difficulty: Moderate — While the initial access and persistence mechanisms (service hijacking) are noisy, the use of Google Drive for C2 and heavily obfuscated in-memory loaders makes payload analysis and network detection challenging.

Required Log Sources

• Event ID 4688 (Process Creation)
• Event ID 4697 (Service Installed)
• Event ID 7045 (New Service Installed)
• Event ID 11 (FileCreate)
• Event ID 13 (RegistryEvent)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected creation or modification of .config files in the C:\Windows\Microsoft.NET\Framework64\ directory, specifically dfsvc.exe.config, indicating potential AppDomain hijacking.	File Creation Events (Sysmon Event ID 11)	Persistence	Low
Monitor for sc.exe or reg.exe commands modifying existing legitimate services (like bthsrv or wuausrv) to point to unexpected DLLs in C:\Windows\System32\wbem.	Process Creation (Event ID 4688) and Registry Modifications (Sysmon Event ID 13)	Persistence	Low
Hunt for cmd.exe spawning PowerShell with obfuscated command lines containing 'pow%comspec:~-1%rshell', indicative of LNK file payload extraction.	Process Creation (Event ID 4688)	Execution	Low
Analyze DNS query logs for high volumes of TXT or A record requests to unknown or newly registered domains, which may indicate Cobalt Strike DNS tunneling.	DNS Query Logs	Command and Control	Medium

Control Gaps

• Network inspection of Google Drive traffic
• Static analysis of Brainfuck-obfuscated .NET binaries

Key Behavioral Indicators

• dfsvc.exe loading unexpected DLLs
• taskhost.exe spawned as a child process with injected memory
• High frequency of .png, .cab, .bak file extensions being written/deleted by a single process (GearDoor behavior)

False Positive Assessment

• Low. The IOCs and behaviors described, such as AppDomain hijacking of dfsvc.exe with malicious configs and specific obfuscated command lines, are highly specific to this threat actor and unlikely to occur in benign environments.

Recommendations

Immediate Mitigation

• Block known C2 domains and IPs at the perimeter.
• Search endpoints for the provided file hashes and file paths (e.g., backup.sdb, OLDENGL.fon).

Infrastructure Hardening

• Patch public-facing internet servers to prevent initial access.
• Implement strict AppLocker or Windows Defender Application Control (WDAC) policies to restrict unauthorized DLL loads.

User Protection

• Deploy EDR solutions configured to block process injection and unauthorized service modifications.
• Block execution of LNK files originating from email attachments or web downloads.

Security Awareness

• Train employees to recognize phishing emails, particularly those targeting government entities with LNK attachments.

MITRE ATT&CK Mapping

• T1574.014 - Hijack Execution Flow: AppDomain Manager Injection
• T1543.003 - Create or Modify System Process: Windows Service
• T1566.001 - Phishing: Spearphishing Attachment
• T1055 - Process Injection
• T1102.002 - Web Service: Bidirectional Communication
• T1113 - Screen Capture
• T1071.004 - Application Layer Protocol: DNS
• T1027 - Obfuscated Files or Information

Additional IOCs

• Ips:
  • 104[.]21[.]51[.]8 - DNS_Idle IP address found in Cobalt Strike beacon configuration.
• Domains:
  • ampolice[[.]]org - C2 Domain
  • copilot-cloud[[.]]net - C2 Domain
  • drivefrontend[.]pa-clients[.]workers[[.]]dev - C2 Domain
  • revitpourtous[[.]]com - C2 Domain
  • wikipedla[[.]]blog - C2 Domain
  • protacik[[.]]com - C2 Domain
  • oicm[[.]]org - C2 Domain
  • mindssurpass[[.]]com - C2 Domain
  • exchange4study[[.]]com - C2 Domain
  • splunkds[[.]]com - C2 Domain
  • bigflx[[.]]net - C2 Domain
• File Hashes:
  • 7f89a4d5af47bc00a9ad58f0bcbe8a7be2662953dcd03f0e881cc5cbf6b7bca8 (sha256) - GearDoor backdoor
  • bcbe2f0a8134c0e7fce18d0394ababc1d910e6f7b77b8c07643434cd14f4c5d6 (sha256) - SSHcmd utility
  • 44e769efed3e4f9f04c52dcd13f15cead251a1a08827a2cb6ea68427522c7fbb (sha256) - SilverScreen screen-monitoring tool
  • 85a03d2e74ae84093a74699057693d11e5c61f85b62e741778cbc5fc9f89022f (sha256) - SilverScreen screen-monitoring tool
  • 51684a0e356513486489986f5832c948107ff687c8501d64846cdc4307429413 (sha256) - Phishing LNK file
  • 166e777cb72a7c4e126f8ed97e0a82e7ca9e87df7793fea811daf34e1e7e47a6 (sha256) - Phishing LNK file
  • 948468aba5c851952ebe56a5bf37904ed83a6c8cb520304db6938d79892f0a1b (sha256) - Phishing LNK file
  • 967b5c611d304385807ea2d865fa561c15cde0473dd63e768679a4f29f0e4563 (sha256) - BamboLoader
  • 43f8f94ca5aa0af7bfb0cc1d2f664a46500a161b2d082b48b516d084ef485348 (sha256) - BamboLoader
  • 3128bdb8efaaa04c0ba96337252f4cc2dc795021cbc410f74ace9dde958bac1d (sha256) - BamboLoader
  • b93560c4d18120e113fb8b04a8aa05f66a12116d1fbf18a93186f6314381e97e (sha256) - BamboLoader
  • ddaca57f3d5f4986da052ca172631b351410d6f5831f6af351699c6201cc011b (sha256) - BamboLoader
  • c4de1f1a8cb3b0392802ee56096ddb25b6f51c51350ce7c45e14d8c285765300 (sha256) - BamboLoader
  • 7384462d420bdc9683a4cac2a8ad19353a2aa7d2244c91e9182345777e811e33 (sha256) - BamboLoader
  • 74a11a07d167f8f5c0baa724d1f7708985c81d0ac3d0e4d7ef3f3220c335e009 (sha256) - BamboLoader
  • 740a09fcdefa5a5f79355b720f54ff09efa64062229fb388adbccd9c829e9ff0 (sha256) - MonikerLoader
  • 5341c7256542405abdd01ee288b08e49dcb6d1782be6b7bea63b459d80f9a8f5 (sha256) - MonikerLoader
  • 3a2df7a2cfeca5ba315a29cf313268a53a22316c925e6b9760ead8f4df0d1f75 (sha256) - MonikerLoader
  • 2f787c1454891b242ab221b8b8b420373c3eb1a0c1fdcb624dd800c50758bbb0 (sha256) - MonikerLoader stage 2
  • 568c67564d62b09d1a1bc29a494cf4bf31afddcafcf78592b178c63f23ccfcae (sha256) - MonikerLoader stage 2
  • 19139a525ee9c22efd6a4842c4cd50ab2c5f9ee391e5531071df0bb4e685f55d (sha256) - MonikerLoader stage 2
  • 72e4b6540e32b8b7aac850055609bc5afc19e29834e9aa6be29a8ea59a2c9785 (sha256) - MonikerLoader stage 2
  • 16b9a7358be88632378ba20ba1430786f3b844694b1f876211ecdbecf5cccbc2 (sha256) - Installation batch script
  • 37b485ed8d150d022c41e5e307b8c54c34ef806625b44d0c940b18be7d5b29ce (sha256) - Installation batch script
  • 3e2a0bafbd44e24b17fd7b17c9f2b2a3727349971d42612d55bbc1732082619a (sha256) - Installation batch script
  • 8c29f9189a9ad75a959024f59e68c62d42a6fd42f9eacf847128c7efe4ef7578 (sha256) - Installation batch script
  • bd699ed720e2bd7085b3444cb8f4d36870b5b48df1055ec6cc1553db3eef7faf (sha256) - Installation batch script
  • a6b5448ba45f3f352f5f4c5376024891adda1ef8ebf62a8fe63424fa230c691d (sha256) - Installation batch script
• Registry Keys:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost - Modified to register malicious DLLs as services.
  • HKLM\SYSTEM\CurrentControlSet\Services\bthsrv - Hijacked Bluetooth Update Service for persistence.
  • HKLM\SYSTEM\CurrentControlSet\Services\bthsrv\Parameters - Modified to point ServiceDll to the malicious payload.
• File Paths:
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComponentModel.dll - Encrypted second-stage loader or SilverScreen payload.
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceMoniker.dll - MonikerLoader malicious .NET DLL.
  • C:\Windows\AppPatch\backup.sdb - Encrypted Cobalt Strike payload.
  • C:\Windows\System32\wbem\WinSync.dll - BamboLoader DLL dropped for service hijacking.
  • C:\Windows\Fonts\OLDENGL.fon - Encrypted Cobalt Strike shellcode disguised as a font file.
  • C:\Windows\Debug\wiatrace.bak - GearDoor self-update package drop location.
• Command Lines:
  • Purpose: Creates a new service to execute the hijacked AppDomain sequence. | Tools: sc.exe | Stage: Persistence
  • Purpose: Modifies registry to hijack an existing service (e.g., bthsrv) to load a malicious DLL. | Tools: reg.exe | Stage: Persistence | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v "bthsrv"
  • Purpose: Executes obfuscated PowerShell to extract and run payloads embedded within a malicious LNK file. | Tools: cmd.exe, powershell.exe | Stage: Execution | cmd.exe /c pow%comspec:~-1%rshell -windowstyle hidden -c