Researchers have uncovered a cyber espionage campaign targeting a Taiwanese government-affiliated research institute specializing in computing and related technologies. The researchers assessed with medium confidence that the tactics, techniques, and procedures (TTPs) are associated with the Chinese state-sponsored hacking group known as APT41, which has been listed among the FBI’s most wanted in connection with intrusion campaigns against more than 100 victims globally.
The campaign, which began as early as July 2023, utilized the notorious ShadowPad malware, Cobalt Strike, and other custom tools for post-compromise activities.
Espionage Campaign Evidence Points to APT41
The attack began with the exploitation of an outdated vulnerable version of Microsoft Office IME binary, which served as a loader to launch the second-stage loader for the payload. The ShadowPad malware, known for its remote access trojan (RAT) capabilities, was used to gain access to the system.
Additionally, the researchers from Talos observed that APT41 had created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing the Microsoft remote code execution vulnerability to achieve local privilege escalation.
The attackers also employed Cobalt Strike, a penetration testing tool, to evade detection by Windows Defender. A unique version of the commonly deployed Cobalt Strike loader, written in GoLang, was used to sideload the malware into the system.
This loader version was based on an anti-AV loader named CS-Avoid-Killing, hosted on GitHub and written in Simplified Chinese. The repository, promoted in Chinese hacking forums and technical tutorials, indicates that the threat actors were well-versed in the language. The use of Simplified Chinese in the loader’s code further strengthens the link to Chinese actors.
The attackers compromised three hosts in the targeted environment and exfiltrated some documents from the network. They gained a foothold by executing malicious code and binaries on the machine, installing a webshell to enable discovery and execution, and dropping malware payloads through various approaches such as webshell, RDP access, and reverse shell.
Once inside the network, the attackers employed tools like Mimikatz and WebBrowserPassView to steal credentials and exfiltrated sensitive documents using 7zip for compression and encryption.
Several key indicators link this attack to APT41 beyond the use of Chinese-language in code and development of a custom loader based on one known in Chinese forums. One indicator is the deployment of ShadowPad by the attackers, a sophisticated modular RAT predominantly used by similar Chinese hacking groups.
While the researchers could not retrieve the final ShadowPad payload, the loaders used match those previously attributed to the APT41 group. Also, significant infrastructure overlap exists, including the use of a command-and-control (C2) server previously linked to APT41 in a 2022 report.
Finally, the attackers employed a specific side-loading technique leveraging an outdated Bitdefender executable, a tactic repeatedly observed in past APT41 campaigns.
Sophisticated Tools and Techniques
The attackers demonstrated a high degree of technical proficiency, using a variety of methods to establish a foothold and maintain persistence. They deployed webshells, leveraged RDP access, and established reverse shells to drop malware, including a unique Cobalt Strike loader written in GoLang, likely designed to evade Windows Defender.
Chinese APT groups pose special risk to Taiwanese sovereignty and integrity as tensions and disputes between the two states grow.