A cyber espionage campaign has been discovered in which threat actors use a variant of the HyperBro loader along with a Taiwan Semiconductor Manufacturing (TSMC) lure in order to target semiconductor industries in regions like Taiwan, Hong Kong, and Singapore.
The tactics, techniques, procedures, and activities of this threat actor are attributed to and overlap with the People’s Republic of China (PRC) backed cyber espionage group.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The HyperBro loader variant used a digitally signed CyberArk binary for a DLL-Side Loading attack, resulting in the in-memory execution of a Cobalt Strike beacon.
Further analysis from EclecticIQ revealed another undocumented malware downloader using the PowerShell BitsTransfer module to fetch malicious binaries from a compromised Cobra DocGuard server.
The malware downloader also uses a DLL Side-Loading technique, which uses a signed McAfee binary, mcods.exe, to run the Cobalt Strike shellcode. This shellcode, however, uses the same Cobalt Strike C2 server linked with the HyperBro loader variant.
Cobra DocGuard’s compromised web server also hosted a Go language-based backdoor which has been termed “ChargeWeapon”. This backdoor was found to be uploaded by the same threat actor and is designed to get remote access. It also sends device and network information from a victim’s computer to a C2 server controlled by an attacker.
ChargeWeapon – GO Language-Based Backdoor
Once infected, the ChargeWeapon backdoor starts to transmit the data about the compromised host in JSON format and obfuscated by a base64 encoding. The information includes Hostname, IP address (Ipv4 and Ipv6 format), and Process tree. It also employs a POST request for C2 communication over 45[.]77[.]37[.]145:8443.
In addition to this, it also has capabilities that include interacting with remote devices over Windows default CLI, WMI execution, Base64 obfuscation during C2 connection, and Reading or writing files on the infected hosts.
This backdoor uses multiple Go-language libraries like gopsutil, go-ole, wmi, and sys. A complete report about the malware downloader, backdoor, and other information has been published by Eclecticiq.
Indicators of Compromise
- df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 – (legitimate binary)
Generic Malware Downloader
- e26f8b8091bbe5c62b73f73b6c9c24c2a2670719cf24ef8772b496815c6a6ce0 – (loader module)
- e6bad7f19d3e76268a09230a123bb47d6c7238b6e007cc45c6bc51bb993e8b46 – (legitimate binary)
IP Address of second stage malware artefacts:
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.