Cyber Threats: Inside UAT-7237’s Targeted Campaign in Taiwan
Overview of the Threat Landscape
A sophisticated cyber threat actor, identified as UAT-7237, has been actively targeting web infrastructure entities in Taiwan. This Chinese-speaking advanced persistent threat (APT) group is known for utilizing customized open-source tools to maintain long-term access to high-value environments. Cisco Talos, the cybersecurity intelligence company, attributes these attacks to an ongoing campaign that has reportedly been active since at least 2022.
Understanding UAT-7237
Cisco Talos categorizes UAT-7237 as a subgroup of another hacking entity, UAT-5918, which has been involved in compromising critical infrastructure in Taiwan since 2023. Their recent intrusions have demonstrated a continued reliance on modified open-source tools, which are tailored to elude detection while conducting illicit operations within compromised networks.
Key Tactics and Tools
Central to UAT-7237’s strategy is a unique shellcode loader named SoundBill. This tool is specifically designed to decode and execute secondary payloads like Cobalt Strike, a popular software used for penetration testing and malicious activities alike. While UAT-7237 shares some operational similarities with UAT-5918, it distinguishes itself through its choice of tools and techniques.
Distinctive Techniques
One of the noted deviations in UAT-7237’s approach includes a selective deployment of web shells post-initial compromise. The group employs remote desktop protocol (RDP) access and SoftEther VPN clients to ensure persistent access to their targets. This method allows them to circumvent the immediate deployment of web shells, which is a typical tactic for many other hacking groups.
The Attack Sequence
The attack sequences initiated by UAT-7237 often begin with the exploitation of known vulnerabilities in unpatched web servers exposed to the internet. The first step involves conducting reconnaissance to assess whether a potential target is of interest for further exploitation.
While other factions, like UAT-5918, typically rush to deploy web shells for backdoor access, UAT-7237 opts for a more measured approach. They leverage the SoftEther VPN client, akin to strategies used by the Flax Typhoon group, to sustain access, followed by RDP connections into the affected systems.
Expanding the Threat
Once inside the system, UAT-7237 rapidly pivots to other devices within the network to broaden their influence and execute other malicious tasks. This includes the deployment of SoundBill for activating Cobalt Strike and additional tools like JuicyPotato for privilege escalation. Mimikatz, another widely used tool, helps extract sensitive credentials.
In a notable evolution, newer iterations of SoundBill have incorporated Mimikatz directly, enhancing its capabilities for credential harvesting.
Active Reconnaissance and Network Manipulation
UAT-7237 also utilizes FScan to scan for open ports across IP subnets, which assists in identifying additional targets within the network. There have been instances where attempts have been made to alter the Windows Registry to disable User Account Control (UAC) and enable cleartext password storage, further indicating their intent to fully compromise the targeted environments.
The group’s choice of SoftEther VPN language settings—specifically Simplified Chinese—underscores the operators’ linguistic proficiency, reinforcing the likelihood of this being a state-aligned group.
Related Threats: The FireWood Backdoor
In a related matter, Intezer has uncovered a new variant of the FireWood backdoor associated with the Gelsemium threat actor, which also aligns with Chinese cyber interests. FireWood, first highlighted by ESET in 2024, utilizes a kernel driver rootkit module known as usbdev.ko for process concealment and executing commands from an attacker-controlled server.
While the core functionalities of FireWood remain consistent, changes in its implementation and configuration have been observed. However, there is uncertainty regarding whether the underlying kernel module has undergone updates, as researchers were unable to acquire it.
Final Thoughts
The evolving tactics of groups like UAT-7237 emphasize the need for organizations to bolster their cyber defenses. Understanding the methods utilized by such threat actors is crucial for mitigating risks and fortifying web infrastructure against increasingly sophisticated cyberattacks. Continued vigilance and timely patching of known vulnerabilities are essential strategies in safeguarding valuable assets in today’s digital landscape.
