· Cybersecurity  · 4 min read

UAT-7237 Targets Taiwan Servers with Custom Hacking Tools

Chinese APT group UAT-7237 targets Taiwan web servers with custom open-source tools like SoundBill to establish long-term access. Learn their TTPs.

A Chinese-speaking advanced persistent threat (APT) group, UAT-7237, has been observed targeting web infrastructure entities in Taiwan. The group uses customized versions of open-source tools with the aim of establishing long-term access within high-value victim environments.

Believed to be a sub-group of the actor UAT-5918, this group’s tactics are designed to be stealthy and persistent. The attack begins by exploiting known vulnerabilities, followed by reconnaissance, credential theft using tools like Mimikatz, and privilege escalation with JuicyPotato. This detailed analysis reveals their methods, from initial compromise to establishing persistent RDP access, showcasing an evolving threat to critical infrastructure.

A New Actor Emerges: UAT-7237

Cisco Talos attributes the activity to a cluster it tracks as UAT-7237, which is believed to have been active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918, another actor known for attacking critical infrastructure entities in Taiwan since 2023.

In a recent report, Talos stated:

“UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.”

The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill, which is designed to decode and launch secondary payloads like Cobalt Strike.

Attack Chain and Unique Tactics

Despite the tactical overlaps with UAT-5918, UAT-7237’s tradecraft exhibits notable deviations. This includes its reliance on Cobalt Strike as a primary backdoor, the selective deployment of web shells after initial compromise, and the incorporation of direct remote desktop protocol (RDP) access and SoftEther VPN clients for persistent access.

The attack chains begin with the exploitation of known security flaws against unpatched servers exposed to the internet. This is followed by initial reconnaissance and fingerprinting to determine if the target is of interest for follow-on exploitation.

“While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client to persist their access, and later access the systems via RDP,” said researchers Asheer Malhotra, Brandon White, and Vitor Ventura. This tactic of using the VPN client is similar to methods employed by groups like Flax Typhoon.

Tools of the Trade

Once persistence is successful, the attacker pivots to other systems across the enterprise to expand their reach. This is where they deploy SoundBill, a shellcode loader based on VTHello, for launching Cobalt Strike.

Also deployed on compromised hosts is JuicyPotato, a privilege escalation tool widely used by various Chinese hacking groups, and Mimikatz to extract credentials. In an interesting twist, subsequent attacks have leveraged an updated version of SoundBill that embeds a Mimikatz instance directly into it to achieve the same goals.

Besides using the FScan tool to identify open ports against IP subnets, UAT-7237 has been observed attempting to make Windows Registry changes to disable User Account Control (UAC) and turn on the storage of cleartext passwords.

Talos noted, “UAT-7237 specified Simplified Chinese as the preferred display language in their [SoftEther] VPN client’s language configuration file, indicating that the operators were proficient with the language.”

Broader Threat Landscape

This disclosure coincides with a report from Intezer about a new variant of a known backdoor called FireWood. This backdoor is associated, albeit with low confidence, with Gelsemium, another China-aligned threat actor.

FireWood was first documented by ESET in November 2024. The original analysis detailed its ability to leverage a kernel driver rootkit module called usbdev.ko to hide processes and run various commands sent by an attacker-controlled server.

“The core functionality of the backdoor remains the same but we did notice some changes in the implementation and the configuration of the backdoor,” said Intezer researcher Nicole Fishbein. “It is unclear if the kernel module was also updated as we were not able to collect it.”

Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →