It has been observed that Chinese-speaking advanced persistent threat (APT) actors target Taiwanese web infrastructure entities using customized versions of customized open source tools aimed at establishing long-term access within high-value victim environments.
This activity is attributed to an activity cluster tracked by Cisco Talos as a UAT-7237. This is believed to have been active since at least 2022. The hacking group is rated as a subgroup of UAT-5918, known to attack TAIWAN’s critical infrastructure entities until 2023.
“UAT-7237 has implemented a recent invasion targeting web infrastructure entities within Taiwan, relying heavily on the use of open source tools that are tailored to some degree, and is likely to avoid detection and carry out malicious activities within compromised companies,” Talos said.
Attacks are characterized by the use of a bespoke shellcode loader called Soundville, designed to decode and launch secondary payloads such as Cobalt Strike.
Despite its tactical overlap with UAT-5918, the UAT-7237’s commerce shows significant deviations, including the dependence on cobalt strikes as a primary backdoor, the selective deployment of web shells after initial compromises, and the incorporation of direct Remote Desktop Protocol (RDP) access for direct Remote Desktop Protocol (RDP) access.
The attack chain begins with the exploitation of known security flaws on unassigned servers exposed to the internet, followed by initial reconnaissance and fingerprinting to determine whether the threat actor is interested in the next exploitation.
“The UAT-5918 will soon begin deploying the web shell to establish a backdoor access channel, but the UAT-7237 will use a soft VPN client (similar to Flax Typhoon) to maintain access and later access the system via RDP, as stated by Asheer Asheer Malhotra, and Vitor Ventura.
If this step is successful, the attacker will pivot to other systems throughout the enterprise to expand its reach and carry out further activities, including the deployment of Soundbill, a shellcode loader to launch a cobalt strike.
Also deployed to compromised hosts are JuicyPotato, a privilege escalation tool widely used by various Chinese hacking groups, and Mimikatz to extract qualifications. With an interesting twist, subsequent attacks took advantage of an updated version of Soundville, which embed Mimikats instances to achieve the same target.
In addition to using FSCAN to identify open ports for IP subnets, it has been observed that UAT-7237 attempts to make changes to the Windows registry, disable User Account Control (UAC), and turn on storage for ClearText passwords.
“UAT-7237 has designated simplified Chinese as their preferred display language [SoftEther] The language configuration file for the VPN client shows that the operator is proficient in the language,” says Talos.
This disclosure comes as Intezer stated that despite his low confidence, he discovered a new variant of the known backdoor called fire, which is associated with a threat actor lined up in China called Gelsemium.
Fire was first documented by ESET in November 2024 and detailed its ability to leverage the RootKit module of a kernel driver called USBDEV.KO to hide processes and execute various commands sent from the attacker control server.
“The core functionality of the backdoor remains the same, but we noticed some changes to the implementation and configuration of the backdoor,” says Nicole Fishbein, a researcher at Intezer. “It is unknown if the kernel module was updated because it was not able to be collected either.”
Source link
