Chinese-speaking semiconductor companies have become the target of cyber espionage activities, with hackers employing TSMC-themed lures to deliver Cobalt Strike beacons. The campaign primarily focuses on firms in Taiwan, Hong Kong, and Singapore and shares tactics, techniques, and procedures (TTPs) that align with those used by Chinese state-backed threat groups.
Furthermore, the attackers are suspected of initiating the compromise through spear-phishing emails, a common approach in cyber espionage. Once compromised, the threat actors distribute the HyperBro loader to install a Cobalt Strike beacon on the victim’s device, granting remote access.
To enhance the stealth of their attacks, the hackers present a decoy PDF pretending to be from Taiwan Semiconductor Manufacturing Company (TSMC) when launching the HyperBro loader. This diversionary tactic aims to avoid raising suspicion during the compromise.
The loader employs DLL side-loading to launch the Cobalt Strike beacon in memory, using a digitally signed binary from CyberArk’s vfhost.exe to evade antivirus detection. The command and control (C2) server address hardcoded into the Cobalt Strike implant is disguised as a legitimate jQuery Content Delivery Network (CDN), allowing it to bypass firewall defenses.
In a separate variant of the attack, the threat actors utilize a compromised Cobra DocGuard web server to introduce an additional McAfee binary (‘mcods.exe’) and load more Cobalt Strike shellcode through DLL side-loading. They also deploy a previously undocumented Go-based backdoor named ‘ChargeWeapon,’ designed to collect and transmit host data to the C2 server in base64-encoded form.
This backdoor utilizes several evasion methods, including communication through the Windows command line interface, execution of commands via Windows Management Instrumentation (WMI), and TCP over HTTP for C2 communications. EclecticIQ, the cybersecurity firm behind the report, attributes these activities with high confidence to a PRC-backed nation-state threat actor due to various factors, including victimology and infrastructure similarities with previously reported activity clusters.