Chinas APT41 Targets Taiwan Research Institute for Cyber Espionage

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas APT41 Targets Taiwan Research Institute for Cyber Espionage


The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.



China-linked advanced persistent threat group APT41 appears to have compromised a government-affiliated institute in Taiwan that conducts research on advanced computing and associated technologies.
The intrusion began in July 2023, with the threat actor gaining initial access to the victim environment via undetermined means. Since then, it has deployed multiple malware tools, including the well-known
ShadowPad remote access Trojan
(RAT), the
Cobalt Strike post compromise tool
, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (
CVE-2018-0824
).
APT41 is an attribution that several vendors use to track a loose collective of China-nexus threat groups that have been engaged in a broad range of cyber espionage and financially motivated cyberattacks around the world, going back to 2012. Members of the group such as
Wicked Panda

Winnti
,
Barium
, and SuckFly have plundered and pillaged trade secrets, intellectual property, and other sensitive data from organizations in the US and multiple other countries in recent years.
Most recently,
Mandiant reported observing
members of the group targeting global shipping and logistics companies and organizations in the technology, entertainment, and automotive sectors. The US government
indicted several members
of the Chengdu-based APT41 in 2020, though that has done little slow it down.
Researchers at Cisco Talos discovered the intrusion when investigating abnormal activity involving attempts to download and execute PowerShell scripts in the Taiwan research institutes network environment last year.  
The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them, Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura
said in a report this week
. Over the course of the intrusion, APT41 actors broke into three systems in the target environment and stole at least some documents from there, they said.
ShadowPad is malware that researchers first discovered embedded in the
source code of NetSarang Computers Xmanager
server management software back in 2017. That supply chain attack
impacted several NetSarang customers
in the APAC region. Initially, researchers believed that APT41 was the sole user of the backdoor. Over the years however, they have
identified multiple groups
— all of them China-linked — that have used the RAT in numerous cyber-espionage campaigns and software supply chain attacks.
With the attack on the Taiwanese research institute, APT41 used two different ShadowPad iterations — one that leveraged a previously known packing mechanism called
ScatterBee,
and another that used an outdated and vulnerable version of
Microsoft Input Method Editors
(IME), the Cisco Talos researchers said.
The attackers used ShadowPad to run commands for mapping out the victim network, collecting data on hosts, and trying to find other exploitable systems on the same network. Cisco Talos also found the APT harvesting passwords and user credentials stored in Web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.
From the environment the actor executes several commands, including using net, whoami, quser, ipconfig, netstat, and dir commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems, the researchers said. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system.
As part of their attack chain, the threat actors also deployed the Cobalt Strike post compromise tool on the victim network using a loader they cloned from a GitHub project. Its designed to evade antivirus detection tools.
It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader, the researchers said. In other words, its download, decryption, and execution routines all happen in runtime in memory.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas APT41 Targets Taiwan Research Institute for Cyber Espionage