Cisco Talos researchers have uncovered a sophisticated Chinese-speaking advanced persistent threat (APT) group, designated UAT-7237, that has been actively targeting web hosting infrastructure in Taiwan since at least 2022.
The group demonstrates significant operational overlaps with previously identified threat actor UAT-5918, suggesting coordinated activities under a broader threat umbrella while employing distinct tactics to establish long-term persistence in high-value environments.
UAT-7237 distinguishes itself through a refined approach to maintaining persistent access, diverging from traditional web shell deployment strategies.
The group initially exploits known vulnerabilities on unpatched internet-facing servers before conducting rapid reconnaissance to assess target value.
Their sophisticated operational methodology includes several key components:
- Custom Shellcode Loader: The group deploys “SoundBill,” a custom tool built on the Chinese-language VTHello framework that can decode and execute various payloads, including Cobalt Strike beacons.
- VPN-Based Persistence: Rather than relying on web shells, UAT-7237 uses SoftEther VPN clients combined with direct Remote Desktop Protocol (RDP) access for sustained presence.
- Cloud Infrastructure: Command and control operations utilize AWS Lambda URLs, indicating sophisticated cloud-based operations.
- Evasion Techniques: SoundBill contains embedded executables from QQ instant messaging software likely used as decoys, while allowing deployment of customized Mimikatz implementations.
This represents a significant evolution in the group’s capabilities, allowing arbitrary command execution while evading detection through advanced shellcode loading mechanisms.
Credential Theft and Network Spread
UAT-7237 demonstrates advanced persistent threat characteristics through systematic credential extraction and network expansion techniques.
The group employs multiple tools including JuicyPotato for privilege escalation, FScan for network reconnaissance, and various implementations of Mimikatz for credential harvesting.
Their operations include registry modifications to disable User Account Control restrictions and enable cleartext password storage, indicating thorough understanding of Windows security mechanisms.
The threat actors conduct extensive reconnaissance using both living-off-the-land binaries and specialized tools like SharpWMI and WMICmd for Windows Management Instrumentation-based remote execution.
Their credential harvesting operations target VNC configurations, LSASS process dumps, and employ the open-source ssp_dump_lsass project for memory extraction.
Stolen credentials are systematically archived using 7-Zip before exfiltration, demonstrating organized data handling procedures.
Targeting Taiwan’s Infrastructure
Analysis of UAT-7237’s victimology reveals a concentrated focus on Taiwanese web hosting providers and critical infrastructure entities, aligning with broader Chinese APT campaign patterns.
Talos researchers assess with high confidence that UAT-7237 operates as a subgroup of UAT-5918, which previously targeted critical infrastructure entities in Taiwan.
The connection is supported by shared tooling, victimology patterns, and operational timeframes spanning from 2022 through 2024.
The group’s particular interest in VPN and cloud infrastructure suggests intelligence gathering objectives beyond traditional data theft.
Their two-year operational window using SoftEther VPN infrastructure, with Simplified Chinese language configurations, provides additional attribution confidence.
The strategic targeting of web hosting providers could facilitate supply chain attacks or broader intelligence collection against hosted entities, representing significant implications for Taiwan’s digital infrastructure security and regional cybersecurity landscape.
Indicators of Compromise (IOCs):
| Hash | File Path / Name | Description / Tool |
|---|---|---|
| 450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a | C:tempwmiscan.exe | wmiscan |
| 6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa | c:/hotfix/Project1.exe | ssp_dump_lsass tool |
| e106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 | C:/hotfixlog/Fileless.exe | FScan |
| b52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 | C:/hotfixlog/smb_version.exe | smb_version |
| 864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 | fileless.exe | Mimikatz |
| df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386 | SoundBill | Malware |
| 0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7 | Cobalt Strike | Beacon |
| 7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f | Cobalt Strike | Beacon |
| cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws | (URL) | Malicious Lambda URL |
| http[://]141[.]164[.]50[.]141/sdksdk608/win-x64[.]rar | (URL) | Malware payload (RAR) |
| 141[.]164[.]50[.]141 | (IP) | Malicious C2 Server |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
