Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023.
“UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting,” Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said.
Besides critical infrastructure, some of the other targeted verticals include information technology, telecommunications, academia, and healthcare.
Assessed to be an advanced persistent threat (APT) group looking to establish long-term persistent access in victim environments, UAT-5918 is said to share tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.
Attack chains orchestrated by the group involve obtaining initial access by exploiting N-day security flaws in unpatched web and application servers exposed to the internet. The foothold is then used to drop several open-source tools to conduct network reconnaissance, system information gathering, and lateral movement.
UAT-5918’s post-exploitation tradecraft involves the use of Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts.
The threat actor has also been leveraging tools like Mimikatz, LaZagne, and a browser-based extractor dubbed BrowserDataLite to harvest credentials to further burrow deep into the target environment via RDP, WMIC, or Impact. Also used are Chopper web shell, Crowdoor, and SparrowDoor, the latter two of which have been previously put to use by another threat group called Earth Estries.
BrowserDataLite, in particular, is designed to pilfer login information, cookies, and browsing history from web browsers. The threat actor also engages in systematic data theft by enumerating local and shared drives to find data of interest.
“The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft,” the researchers said. “Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations.”
