Blogs

Jul 11, 2021

State-Sponsored Threat Actor: TAG-22

Executive Summary

On July 8 2021, Insikt Group from Recorded Future published an intelligence report stating, “Chinese State – Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and other Tools”. The activities were noticed by the Inskit Group targeting telecom industries along industrial technologies institutes likely abusing compromised GlassFish servers and Cobalt Strike as initial access and leverage to exploit backdoors like ShadowPad, Spyder Backdoor and Winnti. In this incident, assets of Nepal Telecom were used as command and control servers.

Background

Threat Activity Group 22 (TAG-22), a temporary name given by Insikt Group to private contractors  (threat actors) operating historically on behalf of China’s Ministry of State Security (MSS). The group activities are supposed to overlap with activity clustered by name Winnti (APT41) and Barium.

Adversary (TAG-22), Capabilities (Cobalt Strike, Shadowpad, Spyder and Winnti) Infrastructure (TTP)

TTPs mapped to Mitre ATT&CK

Initial Access (TA0001)

• Exploit Public Facing Application (T1190)

Adversaries may use software, data, or commands to exploit a flaw in an Internet-facing computer or application in order to cause unintended or unexpected behavior. TAG-22 exploited GlassFish Server software versions 3.1.2 and lower, then leveraged the compromised infrastructure to execute onward intrusion activity, including scanning with the Acunetix scanner and deploying the Cobalt Strike offensive security tool.

• Phishing: SpearPhishing Attachment (T1566.001) 

In order to obtain access to victim systems, adversaries may send spear phishing emails with a malicious attachment. The TAG-22 Group has sent a malicious macros-enabled document to drop the Fishmaster loader. The group employed double extensions for Fishmaster Portable Executable (PE) files to make them look like Microsoft Office or PDF files for initial access

Execution (TA0002)

• Powershell (T1059.003)

Adversaries may attempt to execute PowerShell commands and scripts.   With PowerShell, Cobalt Strike can run a payload on a remote host. Also, APT41 used PowerShell to deliver malware in the environments of its victims.

• Windows Command Shell (T1059.003)

Adversaries may use the Windows command shell to carry out their attacks. TAG-22 uses Cobalt Strike, and Cobalt Strike interacts with systems via a command-line interface. Cmd.exe was also used by overlapping APT41 to run commands on remote machines.

• Windows Management Instrumentation (T1047)

Adversaries may take use of Windows Management Instrumentation (WMI) to carry out their plans. Overlapping group APT41 uses WMI in a variety of ways, including command execution via WMIEXEC and persistence via PowerSploit. Also, WMI can be used by Cobalt Strike to deliver a payload to a remote host.

Persistence (TA0003)

• BITS Jobs (T1197)

Adversaries may employ BITS jobs to execute or clean up after malicious payloads on a regular basis. BITSAdmin was used by APT41 to download and install payloads, and Cobalt Strike can use BITSAdmin to download a hosted “beacon” payload.

• Windows Service(T1543.003)

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. APT41 inserts Trojan backdoors into genuine Windows services. Cobalt Strike has the ability to set up a new service for persistence. For persistence, the Winnti backdoor registers its DLL file as a new service in the Registry.

• DLL Side-Loading (T1574.002)

Adversaries can leverage the search order used to load DLLs to run their own malicious payloads. To accomplish DLL side-loading of their malware, APT41 used legitimate executables. ShadowPad’s launcher is loaded via DLL side-loading from a legitimate executable.

Privilege Escalation (TA0004)

• Process Injection (T1055)

Adversaries may inject code into processes to bypass process-based defenses and potentially elevate privileges. Cobalt Strike may inject a variety of payloads into processes that the adversary chooses dynamically. A wmplayer.exe process is injected with ShadowPad.

Defense Evasion (TA0005)

• Deobfuscate/Decode Files or Information (T1140)

Adversaries may utilize obfuscated files or information to conceal intrusion artifacts from detection. Using a rolling XOR, Cobalt Strike can deobfuscate shellcode. Also ShadowPad launcher uses XOR to decrypt the payload and  employs a custom algorithm.

• Indicator Removal from Tools (T1027.005)

If adversaries believe their malicious program has been detected, quarantined, or otherwise restricted, they may remove indicators from it. The “beacon” payload in Cobalt Strike can be modified to remove recognized signatures or unpacking methods. Also, to prevent disassembly, ShadowPad shellcode is XOR-encoded and uses false conditional jumps.

• Hidden Window (T1564.003)

Hidden windows can be used by adversaries to hide destructive activity from consumers’ view. Windows that would normally be displayed when an application performs an operation can be hidden in specific instances. ShadowPad is injected into a hidden window’s wmplayer.exe process.

Discovery (TA0007)

• Application Window Discovery (T1010)

Adversaries may try to obtain a list of active application windows. The keylogging module in ShadowPad displays a list of all open applications.

• File and Directory Discovery (T1083)

Adversaries may enumerate files and directories or look for specific information within a file system in specified locations on a host or network share. The Recent Files module in ShadowPad displays a list of files that have been accessed recently.

• System Network Configuration Discovery (T1016)

Adversaries may search for information about the network setup and settings of systems they access, or through remote system information discovery. The IP addresses of domain controllers can be determined by Cobalt Strike.

• System Network Connection Discovery (T1049)

By querying for information via the network, adversaries may attempt to obtain a list of network connections to or from the compromised system they are currently accessing, as well as from remote systems. From compromised hosts, Cobalt Strike can generate a session report.

Collection (TA0009)

• Keylogging(T1056.001)

Users’ keystrokes may be recorded by adversaries in order to steal credentials as they are typed. ShadowPad has a keylogging module.

• Screen Capture (T1113)

Adversaries may attempt to acquire screen captures of the desktop in order to gather information. A screenshot module is included in ShadowPad.

Command and Control (TA0011)

• Application Layer Protocol  (T1071)

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. TAG-22 has  used HTTP and HTTPS for C&C communications.

• Non-Standard Port (T1571)

Adversaries may communicate using a protocol and port combination that are not normally associated. TAG-22 uses TCP: 56006 for C&C communications.

• Exfiltration (TA0010)

This technique is used by TAG-22 to exfiltrate data from an existing Command and Control Server.

Victim

TAG-22 intrusions targeting the following companies in Taiwan, Nepal, and the Philippines were discovered in June 2021 using Recorded Future Network Traffic Analysis (NTA) data:

Department of Information and Communications Technology (The Philippines)

The Industrial Technology Research Institute (ITRI) in Taiwan

Nepal Telecom 

TAG-22 C2 domain vt.livehost[.]live were discovered connecting to the Shadowpad and Spyder backdoors, which combine Recorded Future C2 detections and passive DNS data. This allows it to pivot and pinpoint the TAG-22 IP address 139.180.141.227, which researchers discovered the group is using for both Shadowpad and Spyder command and control.

The summary graph is shown in the figure below

Recommendation

• Scans externally facing systems for vulnerabilities on a regular basis, and build procedures for quickly patching systems when major vulnerabilities are detected through scanning or public disclosure.
• Cobalt Strike can be dropped in victim systems following phishing campaigns leveraging VBS scripts or as a powershell script. Disabling document macros in Microsoft Office is advised. It is also recommended that users be trained on how to recognize phishing emails on a regular basis and powershell script execution be restricted to only signed scripts.
• Some endpoint security systems can be set up to restrict certain types of process injection based on common behavior patterns seen throughout the injection process.
• To minimize activity at the network level, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware might be used. Signatures are often for distinct indicators within protocols, and they may be depending on the obfuscation strategy used by a given adversary or tool, and they will likely differ between malware families.
• Continuous Security Monitoring.

Indicator of Compromise (IOC)

livehost[.]live

coivo2xo.livehost[.]live

coivotek.livehost[.]live

dntc.livehost[.]live

dsyu.livehost[.]live

m2.livehost[.]live

sc.livehost[.]live

sci.livehost[.]live

www.livehost[.]live

vt.livehost[.]live

wctu.livehost[.]live

wntc.livehost[.]live

wvt.livehost[.]live

dns.livehost[.]live

hostingupdate[.]club

mrgt.hostingupdate[.]club

snoc.hostingupdate[.]club

lmgur[.]me

ntuml.lmgur[.]me

micsoftin[.]us

nfdkjbfwjakd[.]ml

symantecupd[.]com

wikimedia.vip

jquery-code[.]ml

kases.lmgur[.]me

google-images[.]ml

download.google-images[.]ml

microsoftd[.]tk

windowshostnamehost[.]club

arress.windowshostnamehost[.]club

bc.windowshostnamehost[.]club

c2.windowshostnamehost[.]club

local.windowshostnamehost[.]club

ns2.windowshostnamehost[.]club

v2ray.windowshostnamehost[.]club

vwlamazcsrv1.windowshostnamehost[.]club

wlamazcsrv1.windowshostnamehost[.]club

139.180.131[.]135

139.180.135[.]175

139.180.135[.]200

139.180.141[.]227

139.180.156[.]26

139.180.187[.]35

141.164.35[.]117

141.164.61[.]70

141.164.62[.]81

141.164.63[.]174

154.220.3[.]252

158.247.206[.]194

158.247.219[.]236

163.49.70[.]18

182.162.136[.]235

198.13.37[.]172

202.182.102[.]168

202.182.96[.]238

207.148.70[.]19

207.148.99[.]56

37.61.205[.]212

45.32.112[.]201

45.76.178[.]7

45.77.107[.]26

52.198.189[.]6

54.208.217[.]35

66.42.44[.]130

66.42.61[.]81

93.180.156[.]77

Compromised GlassFish Servers

103.215.168[.]179

114.143.30[.]50

101.53.136[.]36

116.203.104[.]216

202.73.97[.]91

186.250.242[.]178

107.170.109[.]82

67.205.143[.]19

107.161.183[.]116

206.189.69[.]127

95.111.245[.]74

192.99.169[.]235

Initial Access Droppers

c2df9f77b7c823543a0528a28de3ca7acb2b1d587789abfe40f799282c279f7d

59b500eed76b69c9f952131a378a8168c76833aeafaa7aa943e8ee6aa8c1a350

abd81e97006124b547bbb387de853b1990ff38a87dce3377a1e5e535d1b203d6

2a6ff83f65c2620cce9ceee3a570b0540f1e4ab5ac2e1b804a1b3da4c7ad926b

Fishmaster Cobalt Strike Loader

8df253e4085f02181fdaf957dca2110543b99628cf3d82310b9ada5a327b3831

339586a4c87084519dd29ab07fe82ed0a1c99df01818a948b717269555a55910

2af96606c285542cb970d50d4740233d2cddf3e0fe165d1989afa29636ea11db

f21a9c69bfca6f0633ba1e669e5cf86bd8fc55b2529cd9b064ff9e2e129525e8

a7e9e2bec3ad283a9a0b130034e822c8b6dfd26dda855f883a3a4ff785514f97

23df4aba9536b2ea8de3bc5035f87dfe7698e7cae6400068b15d305c1e147d18

d546daa385c1b05514c1a3a85bf536259660e650e20c09af41a2966a42e8a127

Cobalt Strike Beacon

5dc4b4848c381db04941be8215446c502957d7faf0d96f957f3221b79051c691

a2318cfd61b2c89ccd0e4d3e331311995c877c4aff6583d0fa63cb111483761e

d4017f4868716fd6af954d63069eff110d8aa193669e691b509f2b10deed0157

5f5fac89d925a12972206f346245ba317b027f107a500f1bdbed01e40c065e9b

e33c31cbf4fb871dac77586900392c789ac6f1da7d6ccd9cedf8a9639a7de27e

408a3ebea3b9b3cd1eeb99eb4fabf3f2fb6d0d0b40df6cf4b1c20286df23df5f

98a7c0e03e1e90d63fda22ae0d5947abd48709ebbd2ee86ce88277b12696c4d8

bcd938fffe54a891eaf355444439b657e7a0d8f6465aff0ccf1f54d86fa06b92

d7ede69b96bd482cfaeffe0ee582b23f507a46237070c75c3b711d0be716538b