Researchers have identified a cyber espionage campaign targeting a Taiwanese government-affiliated research institute known for its expertise in computing and related technologies. This campaign is linked to the Chinese state-sponsored hacking group APT41, which has been listed among the FBI’s most wanted due to its involvement in intrusion activities against over 100 victims globally. The attack began as early as July 2023, employing the notorious ShadowPad malware alongside other custom tools designed for post-compromise operations.
The initial breach involved exploiting an outdated version of Microsoft Office IME binary, which acted as a loader for the second-stage payload. ShadowPad, recognized for its remote access trojan capabilities, facilitated unauthorized access to the targeted systems. Additionally, APT41 utilized a tailored loader to inject a proof-of-concept for a known vulnerability, CVE-2018-0824, directly into memory, allowing for local privilege escalation through the exploitation of a Microsoft remote code execution vulnerability.
Once inside the network, the attackers compromised multiple hosts and exfiltrated sensitive documents. They executed malicious code to install a webshell for system exploration and deployed various methods, including RDP access and reverse shells, to deliver additional malware. Tools like Mimikatz and WebBrowserPassView were employed to capture credentials, and exfiltration was achieved using 7zip for both compression and encryption, indicating a high level of technical sophistication.
The evidence linking this attack to APT41 extends beyond the use of Chinese language in the code and the custom loader. The deployment of ShadowPad, a modular RAT commonly associated with Chinese hacking groups, further supports this connection. Significant overlaps in infrastructure, including a command-and-control server previously tied to APT41, reinforce the attribution. As tensions between Taiwan and China rise, experts highlight the increased risk posed by such sophisticated cyber operations to Taiwanese sovereignty and security.
Reference: