Chinese APT group targets financial institutions in the campaign “Operation Cache Panda”

For a detailed advisory, download the pdf file here

Chinese threat actor APT10 conducted a series of large-scale supply chain attacks that exclusively targeted the financial software systems of Taiwanese financial institutions from the end of November 2021 until the middle of February 2022. The actor is well-known for the attacks on Japanese automakers, British managed service providers, US-based aerospace and defense corporations, and South Korean missile defense systems.

The current attack targeting Taiwan was codenamed “Operation Cache Panda” and started with exploitation of a web service vulnerability in the security software system management interface. First, the attacker uploaded the ASPXCSharp WebShell commonly used by Chinese hackers to control the website host, and then began to use the well-known penetration tool Impacket to scan intranet computers, trying to implant the DotNet backdoor program on a large scale, and intending to steal the hacked unit data. The attackers then utilized a method known as reflected code loading to execute malicious code on local systems and install a version of the Quasar RAT that provided persistent remote access to the affected system via reverse RDP tunnels. Quasar RAT features include capturing screenshots, recording webcam, editing registry, keylogging, and stealing passwords.

The Mitre TTPs used by APT10 in the current attack are:

TA0002: ExecutionTA0007: DiscoveryTA0005: Defense EvasionTA0003: PersistenceTA0004: Privilege EscalationTA0008: Lateral MovementT1620: Reflective Code LoadingT1569.002: System Services: Service ExecutionT1047: Windows Management InstrumentationT1021.001: Remote Services: Remote Desktop ProtocolT1505.003: Server Software Component: Web ShellT1082: System Information DiscoveryT1518.001: Software Discovery: Security Software DiscoveryT1543.003: Create or Modify System Process: Windows ServiceT1055: Process InjectionT1027: Obfuscated Files or InformationT1480: Execution GuardrailsT1562.001: Impair Defenses: Disable or Modify Tools

The other TTPs commonly used by APT10 are:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0006: Credential AccessTA0009: CollectionTA0011: Command and Control[T1087.002: Account Discovery: Domain AccountT1583.001: Acquire Infrastructure: DomainsT1560: Archive Collected DataT1560.001: Archive via UtilityT1119: Automated CollectionT1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command ShellT1005: Data from Local SystemT1039: Data from Network Shared DriveT1074.001: Data Staged: Local Data StagingT1074.002: Data Staged: Remote Data StagingT1140: Deobfuscate/Decode Files or InformationT1568.001: Dynamic Resolution: Fast Flux DNST1190: Exploit Public-Facing ApplicationT1210: Exploitation of Remote ServicesT1083: File and Directory DiscoveryT1574.001: Hijack Execution Flow: DLL Search Order HijackingT1574.002: Hijack Execution Flow: DLL Side-LoadingT1070.003: Indicator Removal on Host: Clear Command HistoryT1070.004: Indicator Removal on Host: File DeletionT1105: Ingress Tool TransferT1056.001: Input Capture: KeyloggingT1036: MasqueradingT1036.003: Rename System UtilitiesT1036.005: Match Legitimate Name or LocationT1106: Native APIT1046: Network Service ScanningT1588.002: Obtain Capabilities: ToolT1003.002: OS Credential Dumping: Security Account ManagerT1003.003: OS Credential Dumping: NTDST1003.004: OS Credential Dumping: LSA SecretsT1566.001: Phishing: Spearphishing AttachmentT1055.012: Process Injection: Process HollowingT1090.002: Proxy: External ProxyT1021.004: Remote Services: SSHT1018: Remote System DiscoveryT1053.005: Scheduled Task/Job: Scheduled TaskT1218.004: Signed Binary Proxy Execution: InstallUtilT1553.002: Subvert Trust Controls: Code SigningT1016: System Network Configuration DiscoveryT1049: System Network Connections DiscoveryT1199: Trusted RelationshipT1204.002: User Execution: Malicious FileT1078: Valid Accounts T1047: Windows Management Instrumentation

Actors Detail

Indicators of Compromise (IoCs)

References