Chinese Hackers Exploiting Check Point Firewall Vulnerability To Deploy Ransomware

A sophisticated cyber espionage campaign linked to Chinese state-aligned threat actors has targeted organizations across 15 countries using an updated variant of the Shadowpad malware to deploy previously undocumented ransomware.

The attacks, analyzed by Trend Micro’s incident response team, exploit weak passwords and multi-factor authentication (MFA) bypass techniques to infiltrate Check Point firewall VPNs.

Over 21 companies in manufacturing, energy, finance, and education sectors have been impacted since November 2023, with Europe, the Middle East, and Asia bearing the brunt of the activity.

The attackers first gain network access by brute-forcing administrative credentials or bypassing certificate-based MFA through unspecified means.

Security analysts at Trend Micro identified that once inside, they leverage Shadowpad—a modular backdoor connected to multiple Chinese advanced persistent threat (APT) groups—to establish persistence, exfiltrate data, and deploy ransomware.

This marks a rare escalation, as Shadowpad operators historically focused on intellectual property theft rather than financial extortion.

Shadowpad’s Anti-Debugging and Ransomware Mechanics

The latest Shadowpad variant employs advanced anti-analysis techniques to evade detection.

It checks the Process Environment Block (PEB) for debugger flags and uses the RDTSC instruction to measure CPU cycle gaps, terminating execution if discrepancies exceed 10 million cycles.

The malware also calls GetTickCount to compare system uptime deltas, flagging intervals above 3,000 milliseconds as potential sandbox environments.

These methods, combined with DNS-over-HTTPS (DoH) for command-and-control (C2) communication, complicate network-based detection.

// Anti-debugging checks in Shadowpad payload
if (PEB.BeingDebugged || (PEB.NtGlobalFlag & 0x70)) {
    terminate_process();
}
uint64_t start = __rdtsc();
execute_decoy_operations();
uint64_t end = __rdtsc();
if ((end - start) > 10000000) {
    erase_payload();
}

After establishing persistence, attackers deploy a custom ransomware strain that encrypts files using AES-256 with keys wrapped in RSA-2048.

The malware excludes system directories (C:\Windows) and appends .locked extensions to encrypted files.

Each file’s AES key is XORed with 0x3F and embedded in the file footer, requiring the attacker’s private RSA key for decryption.

# File encryption logic (simplified)
aes_key = os.urandom(32)
with open(file, 'rb+') as f:
    data = f.read()
    encrypted_data = AES_encrypt(data, aes_key)
    wrapped_key = RSA_encrypt(aes_key ^ 0x3F, public_key)
    f.seek(0)
    f.write(encrypted_data + wrapped_key)

Ransom notes mimic the Kodex Evil Extractor ransomware template, directing victims to a Tor payment portal.

However, forensic analysis reveals no payments to the specified Bitcoin wallets, suggesting the encryption phase serves as a distraction while data is exfiltrated.

The attackers used CQHashDumpv2 to extract Active Directory credentials and the Impacket toolkit’s WmiExec module for lateral movement.

These tools enabled dumping SAM databases and deploying payloads across networked devices.

# CQHashDumpv2 command observed in attacks
CQHashDumpv2.exe --samdump --sam=C:\Windows\system32\config\SAM --sys=C:\Windows\system32\config\SYSTEM

While attribution remains inconclusive, infrastructure overlaps with Teleboyi, a Chinese APT group linked to PlugX malware—hint at potential collaboration.

Trend Micro urges organizations to audit firewall configurations, enforce strong MFA, and monitor for Shadowpad’s registry-based payload storage (HKLM\Software\Classes\CLSID).

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here

The post Chinese Hackers Exploiting Check Point Firewall Vulnerability To Deploy Ransomware appeared first on Cyber Security News.