A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024.
The attacks exploited CVE-2024-24919, a Check Point Security Gateway vulnerability, to gain access to targeted networks and deploy the ShadowPad and PlugX malware, two families tightly associated with Chinese state-sponsored threat groups.
Orange Cyberdefense CERT links the attacks to Chinese cyber-espionage tactics, though there's not enough evidence to attribute them to specific groups.
NailaoLocker details
Orange's researchers report that NailaoLocker is a relatively unsophisticated ransomware strain compared to the most prominent families in the space.
The reason why Orange sees NailaoLocker as a rather basic ransomware is that, it does not terminate security processes or running services, it lacks anti-debugging and sandbox evasion mechanisms, and does not scan network shares.
"Written in C++, NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption," mentions Orange.
The malware is deployed on target systems via DLL sideloading (sensapi.dll) involving a legitimate and signed executable (usysdiag.exe).
The malware loader (NailaoLoader) verifies the environment by performing memory address checks and then decrypts the main payload (usysdiag.exe.dat) and loads it into memory.
Overview of the attack chain
... continue reading