The APT41 Chinese group has launched a spate of attacks against multiple organizations across various sectors over the past year, and its latest uncovered victim is a Taiwanese government-affiliated research institute, according to new research from Cisco Talos.
The targeted research institute in Taiwan, which was not named in Talos’ Thursday analysis, specializes in computing, and researchers said that “the nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.”
“The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals,” said Joey Chen, Ashley Shen and Vitor Ventura with Cisco Talos in the Thursday post. “Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.”
APT41 is known for both state-sponsored espionage activity and financially motivated cybercriminal attacks, making it a somewhat unique group in the broader China-based threat landscape. Researchers with Mandiant recently uncovered a widespread and sustained campaign by the group targeting 10 organizations across the shipping and logistics, media, technology and automotive sectors that were located in Italy, Spain, Taiwan, Thailand, Turkey and the United Kingdom. The slew of attacks is notable because APT41 was able to maintain prolonged access to these organizations since 2023, giving them the ability to steal sensitive data over an extended time.
This latest attack disclosed by Talos researchers also involved prolonged access, and started as early as July 2023. The threat group likely used tools like Cobalt Strike as well as ShadowPad, a modular RAT that is a successor to the PlugX malware and has been leveraged by other Chinese threat groups like Mustang Panda.
“Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders,” said Chen, Shen and Venture. “The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves.”
The attackers also leveraged two other tools in their attacks, including malware called Unmarshal.exe, which targeted a remote code execution flaw (CVE-2018-0824) in Microsoft COM for Windows in order to achieve privilege escalation. The threat group also used Mimikatz to harvest hashes and WebBrowserPassView to scoop up web browser credentials.
“Beside running commands to discover the network, we also observed the ShadowPad sample perform lightweight network scanning to collect the hosts in the network,” said researchers. “To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.”
APT41 has been notable over the years for other various attacks. In 2022, the group targeted several U.S. state government networks by exploiting the Log4j flaw, for instance. And in 2020, APT41 hit several companies in the banking, defense, technology, and other sectors in at least 20 countries. The group is also known for launching software supply-chain attacks and using compromised digital certificates.