A Chinese threat actor operated a modified Cobalt Strike variant, “Cobalt Strike Cat,” to attack Taiwanese government entities and critical infrastructure. The campaign covered recon, exploitation of remote code execution vulnerabilities, credential theft, and persistence via Windows services and reverse proxy tooling. #CobaltStrikeCat #Taiwan
Keypoints
- EclecticIQ traces a Chinese-threat actor using a customized Cobalt Strike variant (Cobalt Strike Cat) to target Taiwanese government and critical infrastructure.
- Publicly exposed C2 infrastructure (a Python SimpleHTTPServer-based web server at 156.251.172.194) hosted tools and target lists, enabling offensive operations.
- Initial access relied on exploiting four known remote code execution vulnerabilities and brute-forcing internal web services to compromise the victim.
- Reconnaissance and vulnerability scanning employed open-source tools (Nuclei, Afrog) with subdomain enumeration (OneForAll) to map targets.
- Post-exploitation includes credential dumping (LaZagne, browser data), credential theft from SAM, and persistence via Windows services and a reverse proxy for lateral movement.
- The actor targeted Taiwanese government IoT/CCTV devices and exposed web services, with attribution leaning toward a Chinese actor (Budworm overlap) though with moderate confidence.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “Initial Compromise Through Exploiting Publicly Facing Applications” and “four different known remote code execution (RCE) vulnerabilities during their operations.” – “Initial Compromise Through Exploiting Publicly Facing Applications”
- [T1595.001] Active Scanning: Scanning IP Blocks – “reconnaissance tools to scan and fingerprint systems exposed to the internet.”
- [T1595.002] Active Scanning: Vulnerability Scanning – “identifying potentially exploitable systems” via Nuclei and Afrog
- [T1090.001] Proxy: Internal Proxy – “Move Laterally Through Reverse Proxy” and “expose local devices located behind a NAT or firewall, to the Internet.”
- [T1543.003] Create or Modify System Process: Windows Service – “Maintain Presence via Windows Service Installation” and the command to create a Windows service
- [T1021.006] Remote Services: Windows Remote Management – “remote access to the victim device” and “dedicated communication channel from the victim system”
- [T1110] Brute Force – “Brute-forcing against the victim’s internal web services.”
- [T1595.001] Active Scanning: Scanning IP Blocks – (see above)
- [T1016] System Network Configuration Discovery – “arp –a” and other network discovery commands used during reconnaissance
- [T1555.003] Credentials from Web Browsers – “Export victim browser data, including passwords” via HackBrowserData
- [T1003.002] OS Credential Dumping: Security Account Manager – “credentials from NTLM hashes and SAM” via LaZagne
- [T1003.001] OS Credential Dumping: LSASS Memory – (Referenced in the MITRE mapping provided in the article; not explicitly described in every step, but included in the mapped techniques)
- [T1041] Exfiltration Over C2 Channel – “C2 server to send malicious commands into infected computers” and “offensive tooling” over C2
Indicators of Compromise
- [IOC Type] IP addresses – 156[.]251[.]172[.]194 (exposed web server); 193[.]233[.]204[.]73, 103[.]156[.]184[.]89, 172[.]104[.]53[.]19, 103[.]156[.]184[.]83, 192[.]46[.]227[.]146, 140[.]99[.]149[.]35, 172[.]104[.]191[.]194 (threat actor IPs). and 6 more IPs
- [IOC Type] URLs/Domain – hxxp[://]38[.]54[.]50[.]246:10001 (TigerCloud Club bulk proxy IP address web service)
- [IOC Type] MD5 Hash – d0139fda662f3ca949dd335c30573fa2, 996c3eb5c21a20dd13b7ceee6c80b673. and 6 more hashes
- [IOC Type] File Names – lazagne.exe, hack-browser-data.exe (and 2 more items)
- [IOC Type] File Names – svchost.exe (modified Cobalt Strike), modify.exe (and 2 more names)
- [IOC Type] Other artifacts – “ONE-FOX” toolset and Cobalt Strike Cat (references in logs and tooling)