By rssfeeds-admin 
Linked to APT41, this group is known for sophisticated attack strategies, including exploiting public-facing servers and phishing emails with malicious attachments.
Recently, Silver Dragon introduced GearDoor, a backdoor that uses Google Drive as its command-and-control (C2) channel, providing stealthy communication through a trusted cloud service.
Additionally, they deployed two other custom tools: SSHcmd, a command-line utility for remote access, and SliverScreen, a screen-monitoring tool used for capturing user activity.
Infection Chains and Delivery Mechanisms
Silver Dragon employs a multi-stage attack process with three main infection chains:
- AppDomain Hijacking
- Service DLL Hijacking
- Email Phishing Campaign
These chains ultimately deploy Cobalt Strike as the final payload, providing persistent remote access. The infection typically starts with the exploitation of publicly exposed servers, with attackers deploying Cobalt Strike beacons to gain initial access.
In the AppDomain Hijacking chain, Silver Dragon modifies dfsvc.exe.config to redirect execution to a malicious MonikerLoader, which then loads the Cobalt Strike beacon.
Similarly, the Service DLL Hijacking chain uses a malicious DLL, BamboLoader, to install a Cobalt Strike shellcode payload.
The phishing campaign involves weaponized LNK files that deliver additional payloads, including BamboLoader.
A backdoor that communicates via Google Drive, evading traditional network monitoring.
GearDoor uses encrypted files to send and receive commands, enabling the operator to manage infected systems via file uploads and downloads.
Each infected machine is assigned a unique folder on Google Drive for communication.
C2 and Exfiltration via Google Drive
The use of Google Drive for C2 communication in GearDoor is particularly notable. The malware encrypts configuration and command data using DES, with keys derived from the infected system’s attributes.
GearDoor monitors a dedicated Google Drive folder for new tasks, identified by file extensions like .png for heartbeats, .cab for commands, and .rar for payload delivery.
This file-based communication method allows Silver Dragon to remain undetected while maintaining persistent control over compromised systems.
By using Google Drive, the malware avoids the need for traditional network protocols that could trigger alarms.
According to Checkpoint research, silver Dragon’s approach illustrates the increasing complexity of APT operations, using cloud storage to bypass traditional network defenses.
Organizations, particularly those in the government and critical infrastructure sectors, should be vigilant against such attacks.
| Loader | Obfuscation | Decryption | Injection Target |
|---|---|---|---|
| MonikerLoader | Brainfuck strings, random names | ADD-XOR | Reflective, RWE memory |
| BamboLoader | Control flow flattening, junk code | RC4 + LZNT1 + XOR | taskhost.exe |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Silver Dragon APT Uses Google Drive For Covert Communication In European, Asian Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.