APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.

The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41.

“The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload,” security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.

“The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network.”

Cisco Talos said it discovered the activity in August 2023 after detecting what it described were “abnormal PowerShell commands” that connected to an IP address to download and execute PowerShell scripts within the compromised environment.

The exact initial access vector used in the attack is not known, although it involved the use of a web shell to maintain persistent access and drop additional payloads like ShadowPad and Cobalt Strike, with the latter delivered by means a Go-based Cobalt Strike loader named CS-Avoid-Killing.

“The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine,” the researchers said.

Alternately, the threat actor was observed running PowerShell commands to launch scripts responsible for running ShadowPad in memory and fetch Cobalt Strike malware from a compromised command-and-control (C2) server. The DLL-based ShadowPad loader, also called ScatterBee, is executed via DLL side-loading.

Some of the other steps carried out as part of the intrusion comprised the use of Mimikatz to extract passwords and the execution of several commands to gather information on user accounts, directory structure, and network configurations.

“APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation,” Talos said, noting the final payload, UnmarshalPwn, is unleashed after passing through three different stages.

The cybersecurity outfit also pointed out the adversary’s attempts to avoid detection by halting its own activity upon detecting other users on the system. “Once the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access,” the researchers said.

The disclosure comes as Germany revealed earlier this week that Chinese state actors were behind a 2021 cyber attack on the country’s national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.

Responding to the allegations, China’s embassy in Berlin said the accusation is unfounded and called on Germany “to stop the practice of using cybersecurity issues to smear China politically and in the media.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.