Back

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

Aug. 2, 2024, 8:31 a.m.

Tags

apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn

External References

https://blog.talosintelligence.com/

https://otx.alienvault.com/

Description

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 for privilege escalation. They gathered information, deployed backdoors, harvested credentials, and exfiltrated data. Evidence suggests the threat actor spoke Chinese and followed open-source anti-detection techniques.

Date

Published Created Modified
Aug. 2, 2024, 8:23 a.m. Aug. 2, 2024, 8:23 a.m. Aug. 2, 2024, 8:31 a.m.

Indicators

eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9

58.64.204.145

45.85.76.18

103.96.131.84

103.56.114.69

www.nss.com.tw

https://www.nss.com.tw/calc.exe'

http://www.nss.com.tw/p.ps1'

http://www.nss.com.tw/1.hta

http://45.85.76.18:443/yPc1

http://103.56.114.69:8085/p.ps1'

Attack Patterns

UnmarshalPwn

POISONPLUG.SHADOW

ShadowPad - S0596

Cobalt Strike - S0154

APT41

T1588

T1018

T1012

T1082

T1071

T1569

T1219

T1033

T1027

T1563

T1003

T1059

CVE-2018-0824

Additional Informations

Taiwan