Full Report
Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
Analysis Summary
# Threat Actor: UAT-7237
## Attribution & Identity
* **Identification:** Chinese-speaking Advanced Persistent Threat (APT) group, active since at least 2022.
* **Associations:** Assessed with high confidence to be a likely subgroup of threat actor UAT-5918, operating under the same umbrella. Both groups use the Chinese language for development.
* **Aliases/Groups:** UAT-7237 (Distinct from UAT-5918 due to deviations in TTPs).
## Activity Summary
UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan. The primary objective is to establish long-term persistence in high-value victim environments, particularly focusing on gaining access to VPN and cloud infrastructure. Activities observed post-compromise include reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning, and proliferation. Initial access is gained by exploiting known vulnerabilities on unpatched, internet-exposed servers.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting known vulnerabilities on unpatched, internet-exposed servers.
- **Persistence Mechanisms:** Deviates from UAT-5918 by primarily relying on the SoftEther VPN client and direct Remote Desktop Protocol (RDP) access for backdoor persistence, rather than exclusively using web shells.
- **Implant/Backdoor:** Heavy reliance on Cobalt Strike as the staple backdoor implant (Unlike UAT-5918 which favors Meterpreter).
- **Custom Tooling:** Utilizes a customized Shellcode loader tracked as **SoundBill**, capable of decoding and loading arbitrary shellcode, including Cobalt Strike.
- **Reconnaissance & Fingerprinting:** Rapid evaluation of targets using basic Windows commands (`nslookup`, `systeminfo`, `ipconfig /all`) and network scanning (`ping`, checking remote hosts via `net use`).
- **Lateral Movement/Enumeration (LOLBins & Tools):** Extensive use of Living-Off-The-Land Binaries (LOLBins) and specialized open-source tools for reconnaissance and proliferation:
- Native `cmd.exe` commands for checking network status, group memberships (`net group "domain admins" /domain`).
- Use of **SharpWMI** and **WMICmd** for remote command/code execution via WMI across the enterprise.
- **Post-Compromise Actions:** Credential extraction (implied by mentioned IOCs like Mimikatz tool file), deploying bespoke malware, and network scanning.
- **MITRE ATT&CK IDs:** Not explicitly provided in the text, but TTPs align with Execution (T1059), Persistence (T1090.003/T1572), Discovery (T1049), and Credential Access (T1003).
## Targeting
- **Sectors:** Web infrastructure entities (specifically noted: a web hosting provider).
- **Geography:** Taiwan.
- **Victims:** A Taiwanese web hosting provider (specific compromise identified).
## Tools & Infrastructure
- **Malware Families/Loaders:**
- Cobalt Strike (Staple backdoor implant)
- SoundBill (Custom Shellcode Loader)
- Mimikatz (Implied/Mentioned via IOC file)
- **Infrastructure (C2/Downloads):**
- IP Address: `141[.]164[.]50[.]141` (Confirmed attacker-controlled server used for downloading payloads like Cobalt Strike or VPN components).
- AWS URL (Observed in IOCs, likely C2/service interaction): `cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws`
- **Staged Tools/Downloads:** SoftEther VPN client, Customized downloaders (`WM7Lite\download[.]exe`).
## Implications
UAT-7237 presents a persistent, targeted threat, likely operating under the broader umbrella of UAT-5918, focusing specifically on critical web infrastructure in Taiwan. Their adaptation away from Meterpreter/heavy web shell use towards RDP and VPN persistence (SoftEther) suggests an attempt to blend in with legitimate administrative access methods, potentially using customized tooling (SoundBill) to bypass standard security defenses that monitor common APT backdoors. Their focus on VPN and cloud infrastructure suggests data exfiltration or further operational disruption as key end goals.
## Mitigations
- Implement robust multi-factor authentication (**Cisco Duo** mentioned as a generic recommendation).
- Ensure timely patching of internet-exposed servers to prevent initial access via known vulnerabilities.
- Monitor for anomalous use of legitimate administrative tools, specifically WMI-based activity (SharpWMI/WMICmd) and unauthorized SoftEther VPN client installation or configuration changes.
- Restrict RDP access and monitor remote access paths, especially those potentially established through VPN clients.
- Utilize network security solutions (**Cisco Umbrella**, **Cisco Secure Web Appliance**, **Firewall Management Center**) to block connections to known malicious infrastructure.
- Deploy network intrusion detection rules targeting the malware hashes and observed patterns (Snort rules 64908 - 64916 / 301209 - 301212).