Threat actors have been observed targeting semiconductor companies in East Asia with lures masquerading as Taiwan Semiconductor Manufacturing Company (TSMC) that are designed to deliver Cobalt Strike beacons.
The intrusion set, per EclecticIQ, leverages a backdoor called HyperBro, which is then used as a conduit to deploy the commercial attack simulation software and post-exploitation toolkit.
An alternate attack sequence is said to have utilized a previously undocumented malware downloader to deploy Cobalt Strike, indicating that the threat actors devised multiple approaches to infiltrate targets of interest.
The Dutch cybersecurity firm attributed the campaign to a China-linked threat actor owing to the use of HyperBro, which has been almost exclusively put to use by a threat actor known as Lucky Mouse (aka APT27, Budworm, and Emissary Panda).
Tactical overlaps have also been unearthed between the adversary behind the attacks and another cluster tracked by RecordedFuture under the name RedHotel, which also overlaps with a hacking crew called Earth Lusca.
Another Chinese connection comes from the use of a likely compromised Cobra DocGuard web server to host second-stage binaries, including a Go-based implant dubbed ChargeWeapon, for distribution via the downloader.
“ChargeWeapon is designed to get remote access and send device and network information from an infected host to an attacker controlled [command-and-control] server,” EclecticIQ researcher Arda Büyükkaya said in a Thursday analysis.
It’s worth noting that a trojanized version of EsafeNet’s Cobra DocGuard encryption software has also been linked to the deployment of PlugX, with Symantec linking it to a suspected China-nexus actor codenamed Carderbee.
In the attack chain documented by EclecticIQ, a TSMC-themed PDF document is displayed as a decoy following the execution of HyperBro, indicating the use of social engineering techniques to activate the infection.
“By presenting a normal looking PDF while covertly running malware in the background, the chances of the victim growing suspicious are minimized,” Büyükkaya explained.
A notable aspect of the attack is that the C2 server address hard-coded into the Cobalt Strike beacon is disguised as a legitimate jQuery CDN in an effort to bypass firewall defenses.
The disclosure comes as the Financial Times reported that Belgium’s intelligence and security agency, the State Security Service (VSSE), is working to “detect and fight against possible spying and/or interference activities carried out by Chinese entities including Alibaba” at the country’s Liège cargo airport.
Alibaba has denied any wrongdoing.
“China’s activities in Belgium are not limited to the classic spy stealing state secrets or the hacker paralyzing an essential industry or government department from behind his PC,” the agency noted in an intelligence report. “In an attempt to influence decision-making processes, China uses a range of state and non-state resources.”
A report released by the U.S. Department of Defense (DoD) last month described China as posing a “broad and pervasive cyber espionage threat,” and that it steals technology secrets and undertakes surveillance efforts to gain a strategic advantage.
“Using cyber means, the PRC has engaged in prolonged campaigns of espionage, theft, and compromise against key defense networks and broader U.S. critical infrastructure, especially the Defense Industrial Base (DIB),” DoD said.