Código HTML do Conteúdo

Post: Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset - Against Invaders - Notícias de CyberSecurity para humanos.

<div> <div> <h2>Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset</h2> <h2>APT group UAT-7237, linked to UAT-5918, targets web infrastructure in Taiwan using customized open-source tools to maintain long-term access.</h2> <p>A Chinese-speaking advanced persistent threat (APT) group, tracked as UAT-7237, has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.</p> <p>UAT-7237 has been active since at least 2022, the researchers found significant overlaps with <a href="https://securityaffairs.com/175728/hacking/uat-5918-atp-group-targets-critical-taiwan.html" target="_blank">UAT-5918</a>, which is an info-stealing threat actor active since 2023 and known for using web shells and open-source tools for persistence and credential theft. Talos experts believe that UAT-7237 is a subgroup of UAT-5918</p> <p><em>&ldquo;UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.&rdquo; reads the <a href="https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/" target="_blank">report</a> published by Talos.</em></p> <p><em>&ldquo;UAT-7237 aims to establish long-term persistence in high-value victim environments.&rdquo;</em></p> <p>Talos researchers observed the UAT-7237 APT group using a customized Shellcode loader tracked as &ldquo;SoundBill.&rdquo; SoundBill can be employed to decode and load any shellcode, including <a href="https://securityaffairs.com/81877/hacking/cobalt-strike-bug.html" target="_blank">Cobalt Strike</a>.</p> <p>UAT-7237 exploits unpatched servers for initial access, then performs rapid reconnaissance using commands like <code>nslookup</code>, <code>systeminfo</code>, and <code>ping</code> before establishing persistence via SoftEther VPN and RDP rather than web shells.</p> <p>They move through networks using SMB shares and check for domain admins and controllers. They also use built-in Windows tools like SharpWMI and WMICmd to run commands, gather system info, and prepare for further attacks.</p> <p>After compromising systems, UAT-7237 deploys custom and open-source tools to maintain access and steal data. Their custom loader, SoundBill, decodes and executes shellcode from files like <code>ptiti.txt</code>, running payloads ranging from Mimikatz to Cobalt Strike for credential theft and long-term access. SoundBill has two built-in programs from QQ, a Chinese messaging app, likely used as decoys in phishing attacks.</p> <p>They also use JuicyPotato for privilege escalation and modify Windows settings, like disabling UAC and enabling cleartext password storage.</p> <p>Credentials are primarily harvested with Mimikatz, sometimes embedded in SoundBill, and through LSASS dumping (<code>Project1.exe</code>) or registry searches for VNC credentials. Extracted data is compressed for exfiltration, enabling attackers to pivot, escalate privileges, and maintain persistence.</p> <p>The threat actor spreads in networks using tools like FScan and SMB scans to find accessible systems. They pivot using stolen credentials and maintain long-term access via SoftEther VPN, with configurations in Simplified Chinese, indicating operator proficiency. Their VPN setup was active from Sept 2022 to Dec 2024, showing extended use.</p> <p>Talos published IOCs for this research <a href="https://github.com/Cisco-Talos/IOCs/tree/main/2025/08" target="_blank">on GitHub</a>.</p> <p>Follow me on Twitter:<a href="https://twitter.com/securityaffairs" target="_blank">@securityaffairs</a>and<a href="https://www.facebook.com/sec.affairs" target="_blank">Facebook</a>and<a href="https://infosec.exchange/@securityaffairs" target="_blank">Mastodon</a></p> <p><a href="http://www.linkedin.com/pub/pierluigi-paganini/b/742/559" target="_blank">PierluigiPaganini</a></p> <p>(<a href="http://securityaffairs.co/wordpress/" target="_blank">SecurityAffairs</a>&ndash;hacking,China)</p> <hr> <hr> </div></div>