A Chinese-speaking advanced persistent threat (APT) group known as UAT-7237 has been identified as actively targeting web infrastructure in Taiwan. This group is reported to utilize customized versions of open-sourced tools to gain long-term access to high-value victims. According to Cisco Talos, UAT-7237 has been operating since at least 2022 and is considered a sub-group of UAT-5918, which targets critical infrastructure in Taiwan.
Recently, UAT-7237 executed an intrusion involving web infrastructure, focusing on stealthy techniques using tailored tools to bypass detection while conducting malicious operations. Researchers noted a unique approach in their execution, as they employed a shellcode loader named SoundBill, capable of launching secondary payloads, including Cobalt Strike. This method shows a significant departure from UAT-5918’s tactics, which generally involve immediate web shell deployment for system access.
The attack vectors employed by UAT-7237 begin with exploiting known vulnerabilities in unpatched servers, allowing them to conduct reconnaissance and identify targets suitable for follow-up exploitation. Notably, instead of direct web shell deployments, UAT-7237 prefers to embed itself within compromised systems using the SoftEther VPN client to maintain persistent access.
By leveraging tools like JuicyPotato for privilege escalation and Mimikatz for credential extraction, UAT-7237 enhances its capabilities significantly. Interestingly, updates to the SoundBill loader now include a Mimikatz instance, further consolidating their attack methods. Additionally, this group has shown intent to manipulate Windows Registry settings to disable user account control and facilitate the storing of cleartext passwords.
With its preference for Simplified Chinese within its VPN client configuration files, indications suggest that the operators are fluent in the language, highlighting the group’s sophisticated operational background.
In parallel developments, Intezer has identified a new variant of a backdoor called FireWood, associated with another China-aligned threat actor, indicating ongoing challenges related to cyber threats from the region.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.