Image: Yan Ke (unsplash)
In a recent wave of cyber espionage, Chinese-speaking semiconductor corporations have come under attack through deceptive TSMC-themed lures leading to an infection of Cobalt Strike beacons.
The globally recognized Taiwan Semiconductor Manufacturing Company (TSMC), boasting an annual turnover of $73.5 billion and a robust workforce exceeding 73,000, stands as the preeminent entity in semiconductor contract manufacturing and design.
The unfolding cyber offensive, closely monitored by EclecticIQ, predominantly targets enterprises nestled in Taiwan, Hong Kong, and Singapore. The discernible TTPs (tactics, techniques, and procedures) exhibit striking parallels to prior undertakings associated with Chinese state-affiliated menace clusters.
Deployment of Cobalt Strike
While the initial report from Eclectic remains tight-lipped about the inception point of compromise, spear-phishing emails are suspected to be the common denominator, aligning with the standard modus operandi in cyber espionage endeavors.
Within the scope of this operation, malicious actors disseminate the HyperBro loader to embed a Cobalt Strike beacon within the infiltrated apparatus, thereby facilitating remote ingress for the adversaries.
Upon the initiation of HyperBro, a PDF masquerading as a TSMC document materializes to distract the target, ensure a clandestine breach, and avert suspicion.
Employing DLL side-loading, the loader propels a Cobalt Strike beacon into memory, riding on a digitally authenticated binary from CyberArk’s vfhost.exe.
A document dubbed ‘bin.config’, harboring XOR encrypted Cobalt Strike shellcode, undergoes decryption and assimilation into the bona fide ‘vfhost.exe’ process, thereby sidestepping AV scrutiny.
The assault architecture incorporates a command and control (C2) server address, embedded within the Cobalt Strike instrument, camouflaged as an authentic jQuery CDN to circumvent firewall barriers.
In a subsequent attack iteration, the malefactors exploit a subverted Cobra DocGuard web server to introduce an additional McAfee binary (‘mcods.exe’), reloading further Cobalt Strike shellcode via ‘mcvsocfg.dll.’
Here, the antagonists unveil a hitherto uncharted Go-based backdoor christened ‘ChargeWeapon,’ conceived to harvest and relay host data to the C2 in a base64-encoded guise.
ChargeWeapon incorporates elementary malware elusion techniques availed through the “garble” open-source utility, encompassing:
- Engaging a remote apparatus using the default Windows command line interface
- Executing directives via Windows Management Instrumentation (WMI)
- Employing TCP over HTTP for C2 dialogues
- Utilizing base64 ciphering to disguise data amidst C2 interactions
- Reading and modifying files on the invaded host
Eclectic draws parallels between the observed TTPs and established operational patterns of Chinese threat factions such as RedHotel and APT27 (alias Budworm, LuckyMouse).
The in-depth analysis by EclecticIQ articulates a robust belief in the likelihood of a PRC-backed nation-state threat actor orchestrating the analyzed Hyperbro Loader, malware downloader, and the GO backdoor, citing victimology, observed infrastructure, malware code, and resemblance to previously documented activity clusters as substantial evidence.
Supporting this attribution hypothesis, both Symantec and ESET have in the past disclosed the exploitation of Cobra DocGuard servers by China-sponsored APTs for malware distribution.