Taiwanese Research Institute Targeted by Chinese APT41 with Cobalt Strike and ShadowPad

• The APT41 cybercriminal group reportedly targeted a Taiwanese government-affiliated research institute.
• The ShadowPad and Cobalt Strike compromise was likely orchestrated by Chinese threat actors.
• Among others, they used a Bitdefender executable for sideloading and exploited known Microsoft Office and Windows flaws.

A malicious campaign that compromised a government-affiliated research institute in Taiwan delivered malware like ShadowPad, Cobalt Strike, and other customized tools, Cisco Talos detailed in a recent report. The campaign targeting the computing and associated technologies institute is believed to have started in July 2023.

The combination of malware, open-source tools and projects, procedures, and post-compromise activity on the victim endpoint matches the usual tactics, techniques, and procedures (TTPs) of the APT41 hacking group.

The U.S. government believes APT41 is comprised of Chinese nationals, as it's based primarily on overlaps in TTPs, infrastructure, and malware families exclusive to Chinese APTs.

Some TTPs or IoCs seen in previously reported campaigns were also observed now, including the same second-stage loader binary, overlaps in infrastructure, and the employment of a Bitdefender executable for sideloading.

ShadowPad, a modular remote access trojan (RAT), exploited an outdated version of a Microsoft Office IME binary as a customized second-stage loader that launched the payload. Identical loading mechanisms, infection chains, and file names were seen, consistent with previous open-source reporting.

A custom loader was also used to inject a proof-of-concept (PoC) directly into memory to achieve local privilege escalation, utilizing the CVE-2018-0824 remote code execution (RCE) vulnerability in Microsoft COM for Windows, which relates to the failure of properly handling serialized objects.

The campaign used a command and control (C2) server previously reported by Symantec (103.56.114[.]69) in an April 2022 operation, with similar TTPs that included the same ShadowPad Bitdefender loader and similar tool file names and using Filezilla for moving files between endpoints and the WebPass tool for credential dumping. 

The malicious actor sideloads the DLL-based ShadowPad loader via an 11-year-old Bitdefender executable, a technique seen in a variety of reports that have been attributed to APT41 and relayed in multiple reports.