Threat actors have been observed targeting semiconductor companies in East Asia with decoys disguised as Taiwan Semiconductor Manufacturing Company (TSMC) that are designed to deliver Cobalt Strike beacons.
The intrusion suite, according to EclecticIQ, leverages a backdoor called HyperBro, which is then used as a conduit to deploy commercial attack simulation software and post-exploitation toolset.
An alternative attack sequence is said to have used a previously undocumented malware downloader to deploy Cobalt Strike, indicating that threat actors devised multiple approaches to infiltrate targets of interest.
The Dutch cybersecurity company attributed the campaign to a threat actor linked to China due to the use of HyperBro, which has been used almost exclusively by a threat actor known as Lucky Mouse (also known as APT27, Budworm, and Emissary Panda).
Tactical overlaps have also been discovered between the adversary behind the attacks and another group tracked by RecordedFuture under the name RedHotel, which also overlaps with a hacking team called Earth Lusca.
Another Chinese connection comes from the use of a likely compromised Cobra DocGuard web server to host second-stage binaries, including a Go-based implant called ChargeWeapon, for distribution via the downloader.
“ChargeWeapon is designed to gain remote access and send device and network information from an infected host to an attacker-controlled (command and control) server,” EclecticIQ researcher Arda Büyükkaya said in a Thursday analysis.
It’s worth noting that a Trojanized version of EsafeNet’s Cobra DocGuard encryption software has also been linked to the PlugX deployment, with Symantec linking it to an alleged China nexus actor codenamed Carderbee.
In the attack chain documented by EclecticIQ, a TSMC-themed PDF document is displayed as a honeypot after HyperBro execution, indicating the use of social engineering techniques to trigger the infection.
“By presenting a normal-looking PDF while covertly executing malware in the background, you minimize the chances of the victim becoming suspicious,” Büyükkaya explained.
One notable aspect of the attack is that the C2 server address encoded in the Cobalt Strike beacon is disguised as a legitimate jQuery CDN in an effort to bypass firewall defenses.
The revelation comes as the Financial Times reported that Belgium’s intelligence and security agency, the State Security Service (VSSE), is working to “detect and combat possible espionage and/or interference activities carried out by entities including Alibaba” in the country’s Liège. cargo airport.
Alibaba has denied any wrongdoing.
“China’s activities in Belgium are not limited to the classic spy who steals state secrets or the hacker who paralyzes an essential industry or a government department behind his PC,” the agency said in an intelligence report. “In an attempt to influence decision-making processes, China uses a variety of state and non-state resources.”
A report released by the US Department of Defense (DoD) last month described China as a “broad and pervasive cyberespionage threat” and stealing technological secrets and undertaking surveillance efforts to gain strategic advantage.
“Using cyber means, the People’s Republic of China has engaged in prolonged espionage, theft and compromise campaigns against key defense networks and broader critical infrastructure of the United States, especially the Defense Industrial Base (DIB),” the Department of Defense said. Defending.