Web hosting entities in Taiwan have been in the crosshairs of a Chinese APT looking to establish long-term access to high-value targets, Cisco Talos reports.
Tracked as UAT-7237 and believed to be active since 2022, the threat actor is likely a division of the hacking group that Talos tracks as UAT-5918, which overlaps with Chinese APTs such as Volt Typhoon and Flax Typhoon.
According to Talos, however, UAT-7237’s use of Cobalt Strike, its deployment of web shells on select systems only, and its use of RDP access and of a legitimate VPN client suggest the APT represents a separate cluster of activity under the UAT-5918 umbrella.
During a recent intrusion at a web hosting provider in Taiwan, UAT-7237 was seen exploiting known vulnerabilities in internet-facing servers for initial access, conducting reconnaissance, and deploying the SoftEther VPN software for remote access.
For reconnaissance and lateral movement, the threat actor used a combination of readily available tools and Windows Management Instrumentation (WMI)-based utilities, such as SharpWMI and WMICmd.
Alongside various open source tools, UAT-7237 was observed deploying a custom shellcode loader dubbed SoundBill, which is written in Chinese and contains two executables originating from the Chinese instant messaging software QQ.
SoundBill, Talos says, can load payloads ranging from custom Mimikatz implementations to code leading to arbitrary command execution, or Cobalt Strike payloads for long-term information-stealing access.
UAT-7237 was also seen relying on the privilege escalation tool JuicyPotato for command execution, changing the OS configuration of the compromised systems, enabling storage of cleartext passwords, and using various tools for credential exfiltration.
The threat actor also used network scanning tools such as Fscan and SMB scans to discover other endpoints on the network, and deployed the SoftEther VPN client to maintain access to the compromised systems.
Because the remote server hosting SoftEther VPN was created in September 2022, Talos believes that the APT has been using the remote access software for over two years.
Related: Report Links Chinese Companies to Tools Used by State-Sponsored Hackers
Related: Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites
Related: Canada Gives Hikvision the Boot on National Security Grounds
Related: Chinese APT Hacking Routers to Build Espionage Infrastructure
