Microsoft issues fresh warning about nation-state actor Gadolinium

Microsoft issues fresh warning about nation-state actor Gadolinium

Microsoft issues fresh warning about nation-state actor Gadolinium

Microsoft has warned organisations about the use of cloud services and open source tools by a nation-state hacker group named Gadolinium to target a variety of organisations primarily in the healthcare and maritime sectors.

The software giant said in a blog post that Gadolinium, which has been targeting and compromising a number of organisations worldwide for a nearly a decade, is now using cloud services and open source tools to enhance weaponisation of its malware payload and to gain command and control all the way to the server.

In the cyber security industry, Gadolinium is known as a Chinese hacker group that enjoys state support and is known by names such as Leviathan and APT40. According to Microsoft, the hacker group uses custom-crafted malware families to target organisations and over the past year, has begun using open-source toolkits to obfuscate its activities.

In order to increase the scale and speed of its attacks, Gadolinium has been using cloud services as well as GitHub to issue new commands to victim computers. Since April this year, Gadolinium has also been sending COVID-19-themed phishing emails to targeted organisations, attaching malicious PowerPoint files that install several payloads once downloaded on a computer.

In April, Microsoft discovered and suspended as many as eighteen Azure Active Directory applications that were being used by the hacker group as part of its malicious PowerShell Empire infrastructure. While Microsoft said the move will protect end users, the hackers are expected to quickly set up new cloud applications and use new open-source tools to carry out malicious activities.

“The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems,” Microsoft said.

“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.

“From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario, no OAuth permissions consent prompts occur,” it added. The company has shared indicators of compromise (IOCs) associated with Gadolinium’s activities to enable security workers to defend against the group’s attacks. These are listed below:

Hashes from malicious document attachments


Actor-owned email addresses

Azure Active Directory App IDs associated with malicious apps


Read More: Hackers distributing NetSupport Manager RAT via phishing emails, Microsoft warns

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]