Cisco Talos researchers have reported a significant cyber attack on a Taiwanese government-affiliated research institute, attributing the breach to the China-linked group APT41 with medium confidence. The campaign began as early as July 2023 and involved deploying advanced malware tools including ShadowPad and Cobalt Strike.
Attack Overview and Attribution
The researchers identified several key aspects of the attack:
- The campaign targeted a Taiwanese government-affiliated research institute
- APT41, a group allegedly comprised of Chinese nationals, is believed to be responsible
- Attribution is based on overlaps in tactics, techniques, and procedures (TTPs), infrastructure, and malware families exclusive to Chinese APT groups
ShadowPad Malware Deployment
A central component of the attack was the use of ShadowPad, a sophisticated modular remote access trojan (RAT):
- ShadowPad is known to be sold exclusively to Chinese hacking groups
- The malware exploited an outdated vulnerable version of Microsoft Office IME binary as a loader
- A customized second-stage loader was used to launch the payload
- Two distinct iterations of ShadowPad were encountered during the investigation
Cobalt Strike and Custom Loaders
The attackers also leveraged Cobalt Strike and developed custom loaders to evade detection:
- A unique Cobalt Strike loader written in GoLang was used to bypass Windows Defender
- The loader was derived from an anti-AV tool called CS-Avoid-Killing, found on GitHub
- Simplified Chinese file and directory paths suggest the attackers’ proficiency in the language
- PowerShell commands were used to execute scripts for running ShadowPad directly in memory and fetching Cobalt Strike from command and control (C2) servers
Exploitation of CVE-2018-0824
APT41 demonstrated advanced capabilities by exploiting a known vulnerability:
- The group created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory
- This remote code execution vulnerability was used to achieve local privilege escalation
- A tool called UnmarshalPwn was employed in the exploitation process
Attack Methodology and Persistence
The attackers employed various techniques to maintain access and avoid detection:
- Three hosts in the targeted environment were compromised
- Documents were exfiltrated from the network
- A web shell was used to maintain persistence and drop additional payloads
- The “quser” command was executed to monitor for other logged-on users, allowing the attackers to pause activities if detected
- After deploying backdoors, the web shell and guest account used for initial access were deleted
Broader Implications and Ongoing Investigations
Cisco Talos researchers emphasized the potential for further discoveries:
- Analysis of artifacts from this campaign led to the identification of samples and infrastructure potentially used in different campaigns
- Sharing these findings could help the cybersecurity community make connections and enhance ongoing investigations
- Indicators of Compromise (IoCs) for this campaign have been released on Cisco Talos’ GitHub repository
This sophisticated cyber attack on a Taiwanese government research institute highlights the ongoing threat posed by advanced persistent threat (APT) groups like APT41. Complex malware such as ShadowPad, combined with custom loaders and exploitation of known vulnerabilities, demonstrates the evolving tactics employed by state-sponsored threat actors.