Taiwan Web Servers Breached by UAT-7237 using Open-Source Hacking Tools

A Chinese-speaking advanced persistent threat (APT) actor, tracked by Cisco Talos as UAT-7237, has been observed targeting web infrastructure entities in Taiwan. This group has been active since at least 2022 and is considered a sub-group of UAT-5918, which has been attacking critical infrastructure in Taiwan since 2023. UAT-7237 employs customised versions of open-sourced tools to establish long-term access within high-value victim environments. Their recent activities include the use of a bespoke shellcode loader named SoundBill, designed to decode and launch secondary payloads like Cobalt Strike.

UAT-7237’s tactics show significant deviations from UAT-5918, particularly in their reliance on Cobalt Strike as a primary backdoor and the selective deployment of web shells post-compromise. They incorporate direct Remote Desktop Protocol (RDP) access and SoftEther VPN clients for persistent access. The attack chains typically begin with exploiting known security flaws in unpatched servers exposed to the internet, followed by reconnaissance to assess the target’s value. Once initial access is gained, UAT-7237 pivots to other systems within the enterprise, deploying tools such as JuicyPotato for privilege escalation and Mimikatz for credential extraction. Notably, they have also modified SoundBill to embed Mimikatz, enhancing their capabilities. UAT-7237 has been observed making Windows Registry changes to disable User Account Control (UAC) and enable the storage of cleartext passwords, further indicating their sophisticated approach.