Unmasking the new persistent attacks on Japan

March 6, 2025, 10:52 p.m.

Description

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

External References

https://blog.talosintelligence.com/new-persistent-attacks-japan/
https://otx.alienvault.com/pulse/67c9f6c4232a8b4665784c45
Tags
powershell
cobalt strike
persistence
credential theft
CVE-2024-4577
japan
2025-03-06
php-cgi
taowu

Date

  • Created: March 6, 2025, 7:25 p.m.
  • Published: March 6, 2025, 7:25 p.m.
  • Modified: March 6, 2025, 10:52 p.m.

Indicators

  • 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
  • 38.14.255.23
  • 118.31.18.77
Download all indicators here!

Attack Patterns

  • Cobalt Strike - S0154
  • T1003.001
  • T1070.001
  • T1570
  • T1543
  • T1033
  • T1053
  • T1112
  • T1041
  • T1068
  • T1003

Additional Informations

  • Technology
  • Entertainment
  • Education
  • Telecommunications
  • Japan

Linked vulnerabilities

CVE-2024-4577

9.8
    PHP
Published: June 9, 2024