A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.
The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237, which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918, which is known to be attacking critical infrastructure entities in Taiwan as far back as 2023.
“UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise,” Talos said.
The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill that’s designed to decode and launch secondary payloads, such as Cobalt Strike.
Despite the tactical overlaps with UAT-5918, UAT-7237’s tradecraft exhibits notable deviations, including its reliance on Cobalt Strike as a primary backdoor, the selective deployment of web shells after initial compromise, and the incorporation of direct remote desktop protocol (RDP) access and SoftEther VPN clients for persistent access.
The attack chains begin with the exploitation of known security flaws against unpatched servers exposed to the internet, followed by conducting initial reconnaissance and fingerprinting to determine if the target is of interest to the threat actors for follow-on exploitation.
“While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP,” researchers Asheer Malhotra, Brandon White, and Vitor Ventura said.
Once this step is successful, the attacker pivots to other systems across the enterprise to expand their reach and carry out further activities, including the deployment of SoundBill, a shellcode loader based on VTHello, for launching Cobalt Strike.
Also deployed on compromised hosts is JuicyPotato, a privilege escalation tool widely used by various Chinese hacking groups, and Mimikatz to extract credentials. In an interesting twist, subsequent attacks have leveraged an updated version of SoundBill that embeds a Mimikatz instance into it in order to achieve the same goals.
Besides using FScan to identify open ports against IP subnets, UAT-7237 has been observed attempting to make Windows Registry changes to disable User Account Control (UAC) and turn on storage of cleartext passwords.
“UAT-7237 specified Simplified Chinese as the preferred display language in their [SoftEther] VPN client’s language configuration file, indicating that the operators were proficient with the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
