China-linked APT group APT10 targets Taiwan's financial institute

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Chinese threat actor APT10 conducted a series of large-scale supply chain attacks that exclusively targeted the financial software systems of Taiwanese financial institutions from the end of November 2021 until the middle of February 2022. The actor is well-known for the attacks on Japanese automakers, British managed service providers, US-based aerospace and defense corporations, and South Korean missile defense systems.

The current attack targeting Taiwan was codenamed “Operation Cache Panda” and started with exploitation of a web service vulnerability in the security software system management interface. First, the attacker uploaded the ASPXCSharp WebShell commonly used by Chinese hackers to control the website host, and then began to use the well-known penetration tool Impacket to scan intranet computers, trying to implant the DotNet backdoor program on a large scale, and intending to steal the hacked unit data. The attackers then utilized a method known as reflected code loading to execute malicious code on local systems and install a version of the Quasar RAT that provided persistent remote access to the affected system via reverse RDP tunnels. Quasar RAT features include capturing screenshots, recording webcam, editing registry, keylogging, and stealing passwords.

The Mitre TTPs used by APT10 in the current attack are:

TA0002: Execution
TA0007: Discovery
TA0005: Defense Evasion
TA0003: Persistence
TA0004: Privilege Escalation
TA0008: Lateral Movement
T1620: Reflective Code Loading
T1569.002: System Services: Service Execution
T1047: Windows Management Instrumentation
T1021.001: Remote Services: Remote Desktop Protocol
T1505.003: Server Software Component: Web Shell
T1082: System Information Discovery
T1518.001: Software Discovery: Security Software Discovery
T1543.003: Create or Modify System Process: Windows Service
T1055: Process Injection
T1027: Obfuscated Files or Information
T1480: Execution Guardrails
T1562.001: Impair Defenses: Disable or Modify Tools

The other TTPs commonly used by APT10 are:

TA0042: Resource Development
TA0001: Initial Access
TA0006: Credential Access
TA0009: Collection
TA0011: Command and Control[
T1087.002: Account Discovery: Domain Account
T1583.001: Acquire Infrastructure: Domains
T1560: Archive Collected Data
T1560.001: Archive via Utility
T1119: Automated Collection
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1005: Data from Local System
T1039: Data from Network Shared Drive
T1074.001: Data Staged: Local Data Staging
T1074.002: Data Staged: Remote Data Staging
T1140: Deobfuscate/Decode Files or Information
T1568.001: Dynamic Resolution: Fast Flux DNS
T1190: Exploit Public-Facing Application
T1210: Exploitation of Remote Services
T1083: File and Directory Discovery
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1574.002: Hijack Execution Flow: DLL Side-Loading
T1070.003: Indicator Removal on Host: Clear Command History
T1070.004: Indicator Removal on Host: File Deletion
T1105: Ingress Tool Transfer
T1056.001: Input Capture: Keylogging
T1036: Masquerading
T1036.003: Rename System Utilities
T1036.005: Match Legitimate Name or Location
T1106: Native API
T1046: Network Service Scanning
T1588.002: Obtain Capabilities: Tool
T1003.002: OS Credential Dumping: Security Account Manager
T1003.003: OS Credential Dumping: NTDS
T1003.004: OS Credential Dumping: LSA Secrets
T1566.001: Phishing: Spearphishing Attachment
T1055.012: Process Injection: Process Hollowing
T1090.002: Proxy: External Proxy
T1021.004: Remote Services: SSH
T1018: Remote System Discovery
T1053.005: Scheduled Task/Job: Scheduled Task
T1218.004: Signed Binary Proxy Execution: InstallUtil
T1553.002: Subvert Trust Controls: Code Signing
T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
T1199: Trusted Relationship
T1204.002: User Execution: Malicious File
T1078: Valid Accounts
T1047: Windows Management Instrumentation