China-linked group APT41 breached a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike.<\/h2>\n\n\n\n
Cisco Talos researchers reported that the China-linked group compromised a Taiwanese government-affiliated research institute. The experts attributed the attack with medium confidence to the APT41<\/a> group.<\/p>\n\n\n\n
The campaign started as early as July 2023 and threat actors delivered the ShadowPad<\/a> malware, Cobalt Strike<\/a>, and other post-exploitation tools.
“Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups.” reads the report<\/strong><\/a> published by Cisco Talos. “Talos\u2019 analyses of the malware loaders used in this attack reveal that these are ShadowPad<\/a> loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.”<\/em><\/p>\n\n\n\n
ShadowPad is a modular remote access trojan (RAT) sold exclusively to Chinese hacking groups. It has been publicly linked to APT41, a group believed to operate from Chengdu, China, and has also been used by other Chinese groups such as Mustang Panda<\/a> and the Tonto Team<\/a>.<\/p>\n\n\n\n
![\"APT41\"](\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2024\/08\/APT41.png?ssl=1\")
<\/a><\/figure>\n\n\n\nAttackers were also observed running PowerShell commands to execute scripts used to run the ShadowPad<\/a> malware directly in memory and fetch Cobalt Strike malware from C2 server.<\/p>\n\n\n\n
“During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.” continues the report. “The initial variant of the ShadowPad loader<\/u><\/a> had been previously discussed in 2020, and some vendors had referred to it as ‘ScatterBee’<\/u><\/a>. Its technical structure and the names of its multiple components have remained consistent with earlier reports. The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary<\/u><\/a>, which is over 13 years old.”<\/em><\/p>\n\n\n\n
Talos also discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824<\/a> directly into memory. The threat actors used a remote code execution vulnerability to achieve local privilege escalation.
“During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn<\/u><\/a>, which we will detail in the sections below.” continues the report. “The malicious actor is careful, in an attempt to avoid detection, during its activity executes \u201cquser\u201d which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.” <\/em>
Talos released Indicators of Compromise for this campaign on their GitHub repository<\/a>.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, APT41)<\/strong>