Chinese intruders, associated with a typhoon, infiltrated a Taiwanese web hosting service.
In the realm of cybersecurity, a new player has emerged with a focus on Taiwan's web infrastructure. The Chinese Advanced Persistent Threat (APT) group, known as UAT-7237, has been making headlines due to its use of customized open-source tooling and selective tactics for persistence and access.
UAT-7237 is known for gaining initial access via known vulnerabilities on unpatched servers exposed to the internet. Once inside, the group stealthily conducts reconnaissance to determine the value of the victim, establishes long-term access using the SoftEther VPN client, and uses Cobalt Strike as its favoured backdoor implant.
To further expand its reach, UAT-7237 uses a unique shellcode loader called SoundBill, designed to decode and execute secondary payloads. SoundBill contains two embedded executables that originate from QQ, a Chinese instant messaging software, likely used in phishing attacks. The group also deploys the ssp_dump_lsass project on GitHub, which dumps Local Security Authority Service (LSASS) memory and steals credentials.
In comparison, another Chinese APT group, UAT-5918, is characterized by a broader and more immediate deployment of web shells to establish backdoored channels within target environments. UAT-7237, however, is more selective in deploying web shells, preferring direct Remote Desktop Protocol (RDP) access and SoftEther VPN clients for maintaining persistence at compromised sites.
This differentiation suggests that UAT-7237 functions as a subgroup under the UAT-5918 umbrella but employs more tailored and stealthy tactics aimed at long-term access and evasion within high-value networks.
Talos researchers have documented an intrusion during which UAT-7237 compromised a Taiwanese web hosting provider, showing particular interest in VPN and cloud infrastructure. The active time period for this intrusion was from September 2022 to December 2024.
To aid in the detection and mitigation of UAT-7237's activities, Talos has published indicators of compromise for its UAT-7237 research on its GitHub repository. As the cyber threat landscape continues to evolve, it is crucial for organisations to stay vigilant and informed about these emerging threats.
[1] Talos Intelligence Blog: UAT-7237: A Chinese-government-backed cyber crew targeting Taiwan
[2] Talos Intelligence Blog: UAT-5918: Chinese-government-backed APT group targeting Taiwan
[3] Talos Intelligence Blog: UAT-7237: A closer look at the Chinese-government-backed APT group
[4] Talos Intelligence Blog: UAT-7237: Indicators of Compromise
[5] Talos Intelligence Blog: UAT-7237: APT group using SoundBill shellcode loader
- UAT-7237, a Chinese APT group, is known for its focus on Taiwan's web infrastructure, often gaining initial access via unpatched servers and deploying the softwer tool, SoftEther VPN client, for long-term access.
- The cyber threat group UAT-7237 uses AI-based tactics such as SoundBill, a unique shellcode loader, and the ssp_dump_lsass project from GitHub to steal credentials, making it crucial for organizations to stay vigilant and informed about cybersecurity.
- In the realm of politics and general-news, concerns about UAT-7237 have been raised due to its activity, as demonstrated by an intrusion recorded by Talos researchers that compromised a Taiwanese web hosting provider from September 2022 to December 2024.
- To help organisations detect and mitigate UAT-7237’s activities, Talos has published indicators of compromise on its GitHub repository, providing crucial technology resources for cybersecurity professionals.
