Attacks involving ShadowPad and Cobalt Strike have enabled Chinese state-sponsored threat operation APT41 to breach and exfiltrate data from a Taiwanese government-affiliated research organization, reports The Hacker News.
APT41 may have achieved persistence through the deployment of a web shell prior to the deployment of the payloads, with ShadowPad leveraging an old flawed Microsoft Office IME binary as a springboard for the next-stage loader and anti-AV loader-based Cobalt Strike evading quarantine systems of security tools, an analysis from Cisco Talos revealed.
Aside from executing PowerShell scripts enabling in-memory operation of ShadowPad and Cobalt Strike retrieval, APT41 also leveraged Mimikatz to facilitate password collection and further information-gathering activities before proceeding with the release of the UnmarshalPwn payload, researchers noted.
"Once the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access," added researchers. Such findings follow Germany's allegations that an attack against its national mapping agency three years ago had been conducted by Chinese state-backed hackers. China has dismissed the accusations.
