Threat Research

深度剖析針對臺灣金融業的 Operation Cache Panda 組織型供應鏈攻擊

Securonix

CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident malware. The campaign utilized WebShell access, DotNet-based backdoors, and in-memory loading techniques (including Donut and Reflective Code Loading) to steal financial data while evading detection. #OperationCachePanda #APT10 #QuasarRAT #Donut #AsExploits #DogCheck #PresentationCache #CyCraft #Taiwan #TaiwanFinancialSector

Keypoints

  • Incident centered on 2021–2022 attacks against Taiwan securities/futures firms, attributed to a China‑state‑level actor and named by CyCraft as Operation Cache Panda.
  • Attackers exploited a vulnerability in widely used financial software to gain initial access and deployed a web-based WebShell (Log.aspx) for control.
  • Core backdoor is QuasarRAT, delivered via PresentationCache.exe to enable persistent, in-memory operations and DotNet loading.
  • Malware uses dynamic DotNet loading (Reflective Code Loading, T1620) and Donut/SharpSploit techniques to achieve fileless execution and evade detection.
  • Lateral movement leverages Impacket, Remote Service/WMI, and the creation of a Reverse Tunnel for RDP access.
  • Defense evasion includes Defender whitelisting, Sandboxie checks, and DES CBC string encryption to hinder static analysis.
  • IoCs and remediation recommendations emphasize patching, restricting web interfaces, asset inventory, and deploying Xensor EDR/Malware Protection Module.

MITRE Techniques

  • [T1505.003] Web Shell – The attacker uploaded a WebShell to control the website host: “攻擊者上傳了中國駭客常用之 ASPXCSharp WebShell 進行網站主機控制” → “The attacker uploaded a WebShell to control the web host.”
  • [T1050] New Service – PresentationCache.exe is registered as a Windows service to persist on the system: “註冊為服務,使能夠常駐於系統”
  • [T1620] Reflective Code Loading – Dynamic loading of DotNet assemblies into memory: “Reflective Code Loading(MITRE ATT&CK 編號 T1620),動態注射惡意 DotNet Assembly 程式碼到系統以合法執行程序。”
  • [T1105] Ingress Tool Transfer – Attacker downloads tools from external servers (e.g., x86.bin, DogCheck.bin): “下載伺服器、抓取 x86.bin 及 DogCheck.bin 檔案”
  • [T1047] Windows Management Instrumentation – Lateral movement via WMI: “Remote Service/WMI 方式橫向擴散到內部主機”
  • [T1562.001] Impair Defenses: Disable/Bypass Security Tools – Defender whitelist and Sandboxie checks; program halts in sandbox: “將惡意程式加入 Defender 的白名單、檢查 Sandboxie”
  • [T1027] Obfuscated/Compressed Files and Information – Use of DES CBC encryption to obfuscate strings and hinder analysis: “DES CBC 加密部分字串”

Indicators of Compromise

  • [SHA1] Log.aspx (WebShell) – D42BF66485218F2ED76A8B1D63AF417FD2A82C8B
  • [MD5] Log.aspx (WebShell) – 375270077E842624BCE08C368CDC62F9
  • [SHA1] PresentationCache.exe (DotNet Downloader) – 4ECFC1A89B50CD8DC1B9424C3EFCF63E257525AA
  • [MD5] PresentationCache.exe (DotNet Downloader) – EEADD95725DE21D269933881A8E8B21A
  • [SHA1] PresentationCache.exe (DotNet Downloader) – 6E6C399BDA3C1F06ADE71053FDDD8FBEFA15029C
  • [MD5] PresentationCache.exe (DotNet Downloader) – 03B88FD80414EDEABAAA6BB55D1D09FC
  • [SHA1] PresentationFrom.dll (DotNet Library) – 7D8EDEDB3104FEE9A422FC4E97B1969DC31C4E66
  • [MD5] PresentationFrom.dll (DotNet Library) – 7D12FA8EEBBD401390F2A5046FF2B4BB
  • [SHA1] PresentationFrom.dll (DotNet Library) – CE2925BCD3188D3CB6F8BB67CD9D3F2D72FDDC05
  • [SHA1] PresentationFrom.dll (DotNet Library) – BD6069BE81C70E918CF95BBDB30765A90A07FD98
  • [MD5] PresentationFrom.dll (DotNet Library) – A991AC3EB2D5C66DA1BECF002C19B9E6
  • [SHA1] PresentationStatic.dll (DotNet Library) – 333D9A94DC1A95D3C773BDE232D1BC2756C10518
  • [MD5] PresentationStatic.dll (DotNet Library) – 2949C999C785AA1CA4673FC7FAE58A73
  • [SHA1] PresentationStatic.dll (DotNet Library) – 6B47C2DEE1788017043B456C27E22193537B7A26
  • [MD5] PresentationStatic.dll (DotNet Library) – D506ED774089BA11D515F28087DC3E21
  • [SHA1] PresentationStatic.dll (DotNet Library) – 49E803BEAA4230E69A216B91757E35840D0C8683
  • [MD5] PresentationStatic.dll (DotNet Library) – 9F1BF77452A896B8055D3EA2EF6A6A65
  • [SHA1] DogCheck.bin (DogCheck) – A9541DEB16FFB41B6B4744D409597F9C62F7110E
  • [MD5] DogCheck.bin (DogCheck) – 8CE271DA8A84CD3D42552547A8BBAF5B
  • [SHA1] x86.bin (Quasar RAT) – 7CB09DC4BC7DD68D6AACE7A9628634248F18EBA5
  • [MD5] x86.bin (Quasar RAT) – ADC84F8C72E65EC85E051FE7CC419332
  • [Domain] cahe.microsofts.org – Hong Kong IP
  • [Domain] cahe.3mmlq.com – Hong Kong IP
  • [Domain] cahe.7cnbo.com – Hong Kong IP
  • [Domain] cache.microsofts.cc – (HK/TO) C2 domain
  • [IP] 104.155.228.182 – Taoyuan IP (C2 resolve)
  • [IP] 43.245.196.120 – Hong Kong IP (C2)
  • [IP] 43.245.196.121 – Hong Kong IP (C2)
  • [IP] 43.245.196.122 – Hong Kong IP (C2)
  • [IP] 43.245.196.123 – Hong Kong IP (C2)
  • [IP] 43.245.196.124 – Hong Kong IP (C2)
  • [IP] 23.224.75.93 – Hong Kong IP (C2)
  • [IP] 23.224.75.91 – Hong Kong IP (C2)
  • [Domain] dowon.microsofts.top – File Server (HK)
  • [Domain] dowon.08mma.com – File Server (HK)

Read more

Read more: https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934