CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 684
- Points
- 83
What do hackers want to know and how will they use the stolen information?
EclecticIQ specialists have discovered a new spying campaign targeting Chinese manufacturers of semiconductor products, which uses decoy documents associated with TSMC to infect victims with Cobalt Strike beacons. The spying attacks target companies based in Taiwan, Hong Kong, and Singapore.
Although the EclecticIQ report does not indicate the initial vector of compromise, it is assumed that the chain of attacks begins with sending phishing emails, which is a typical method in cyber espionage operations. As part of the campaign, attackers distribute the HyperBro bootloader to install a Cobalt Strike beacon on an infected device, providing remote access to the machine.
The loader uses DLL Sideloading to launch the Cobalt Strike beacon, bypassing anti-virus detection and using a legitimate process "vfhost.exe" CyberArk companies.
In the second variant of the attack, hackers use a compromised Cobra DocGuard web server (CDG)to download a McAfee binary file and then another Cobalt Strike beacon. In this case, the attackers used a previously undocumented Go-based backdoor called ChargeWeapon.
The researchers claim that the campaign's Tactics, Techniques and Procedures (TTPs) are similar to the TTPs of the Chinese groups RedHotel and APT27. It is noted that earlier the fact of use of servers of Cobra DocGuard by the Chinese APT groups for delivery of malicious programs was noticed that strengthens the version about the origin of hackers.
EclecticIQ specialists have discovered a new spying campaign targeting Chinese manufacturers of semiconductor products, which uses decoy documents associated with TSMC to infect victims with Cobalt Strike beacons. The spying attacks target companies based in Taiwan, Hong Kong, and Singapore.
Although the EclecticIQ report does not indicate the initial vector of compromise, it is assumed that the chain of attacks begins with sending phishing emails, which is a typical method in cyber espionage operations. As part of the campaign, attackers distribute the HyperBro bootloader to install a Cobalt Strike beacon on an infected device, providing remote access to the machine.
The loader uses DLL Sideloading to launch the Cobalt Strike beacon, bypassing anti-virus detection and using a legitimate process "vfhost.exe" CyberArk companies.
In the second variant of the attack, hackers use a compromised Cobra DocGuard web server (CDG)to download a McAfee binary file and then another Cobalt Strike beacon. In this case, the attackers used a previously undocumented Go-based backdoor called ChargeWeapon.
The researchers claim that the campaign's Tactics, Techniques and Procedures (TTPs) are similar to the TTPs of the Chinese groups RedHotel and APT27. It is noted that earlier the fact of use of servers of Cobra DocGuard by the Chinese APT groups for delivery of malicious programs was noticed that strengthens the version about the origin of hackers.
