Threat actors of unknown origin have been attributed to malicious campaigns, primarily targeting Japanese organizations since January 2025.
“The attacker exploited CVE-2024-4577, a flaw in Remote Code Execution (RCE) implementation of PHP-CGI on Windows.
“The attacker is using the publicly published cobalt strike kit, “Taowu” for-post Exploation Activity plugin.”
The goals of malicious activities cover companies across Japan’s technology, telecommunications, entertainment, education and e-commerce sectors.
It all starts with a threat actor who exploits the vulnerability in CVE-2024-4577 to gain initial access, executes a PowerShell script and executes a Cobalt Strike Reverse HTTP shellcode payload, allowing permanent remote access to the compromised endpoint.
The next step requires reconnaissance, privilege escalation, and lateral movement using tools such as Juicypotato, Rottenpotato, Sweetpotato, FSCAN, Seatbelt. A plugin from the Cobalt Strike kit called Taowu is used to establish additional persistence through Windows registry changes, scheduled tasks, and bespoke services.
“To maintain stealth, we use the Wevtutil command to clear the event log and remove traces of action from Windows Security, System and Application Logs,” says Raghuprasad. “In the end, they run the Mimikatz command to dump and remove the password and NTLM hash from the memory of the victim’s machine.”
The attack culminates with hacking crew stealing passwords, and NTLM hashs from infected hosts. Further analysis of command and control (C2) servers associated with the Cobalt Strike Tool has revealed that threat actors will leave a directory list that can be accessed via the Internet, thereby exposing the complete suite of adversarial tools and frameworks hosted on Alibaba cloud servers.
The most notable tools are listed below –
Browser Exploit Framework (BEEF), published pen test software for running commands within the browser context Viper C2, modular C2 framework that facilitates remote command execution and generation of meter preter reverse shell payloads, Blue Lotus, JavaScript WebShell Cross Site Scricking (XSS) attacks realizes screenshots, get reverse shells, steal browser cookies, create new accounts with content management system (CMS)
“We assess with moderate confidence that attackers’ motivations go beyond mere qualification yields based on observations of other post-exploitation activities, including establishment of sustainability, increased system-level privilege, and potential access to adversarial frameworks, indicating the possibility of future attacks.
Source link
