China-linked APT41 breached Taiwanese research institute

China-linked group APT41 breached a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike.

Cisco Talos researchers reported that the China-linked group compromised a Taiwanese government-affiliated research institute. The experts attributed the attack with medium confidence to the APT41 group.

The campaign started as early as July 2023 and threat actors delivered the ShadowPad malware, Cobalt Strike, and other post-exploitation tools.

The sample of ShadowPad malware employed in this campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader. The loader in turn loads the customized second-stage loader for launching the payload.

“Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups.” reads the report published by Cisco Talos. “Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.”

ShadowPad is a modular remote access trojan (RAT) sold exclusively to Chinese hacking groups. It has been publicly linked to APT41, a group believed to operate from Chengdu, China, and has also been used by other Chinese groups such as Mustang Panda and the Tonto Team.

The researchers were not able to determine the initial attack vector. The attackers compromised three hosts in the targeted environment and exfiltrated some documents from the network. 

Attackers used a web shell to maintain persistence and drop additional payloads like ShadowPad and Cobalt Strike.

The attackers used a unique Cobalt Strike loader written in GoLang to bypass Windows Defender’s detection. This loader, derived from an anti-AV tool called CS-Avoid-Killing found on GitHub and written in Simplified Chinese, is promoted in various Chinese hacking forums and tutorials. The presence of Simplified Chinese file and directory paths suggests that the threat actors who created the loader are proficient in the language.

APT41

Attackers were also observed running PowerShell commands to execute scripts used to run the ShadowPad malware directly in memory and fetch Cobalt Strike malware from C2 server.

“During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.” continues the report. “The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as ‘ScatterBee’. Its technical structure and the names of its multiple components have remained consistent with earlier reports. The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old.”

Talos also discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory. The threat actors used a remote code execution vulnerability to achieve local privilege escalation.

“During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below.” continues the report. “The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.”

By analyzing artifacts from this campaign, the researchers identified samples and infrastructure potentially used by the same threat actors in different campaigns. Sharing these findings could help the community to make connections and enhance further investigations.

Talos released Indicators of Compromise for this campaign on their GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter