Security News > 2023 > October > China-linked cyberspies backdoor semiconductor firms with Cobalt Strike
Hackers engaging in cyber espionage have targeted Chinese-speaking semiconductor companies with TSMC-themed lures that infect them with Cobalt Strike beacons.
The campaign spotted by EclecticIQ focuses on firms based in Taiwan, Hong Kong, and Singapore, with the observed TTPs bearing similarities to previous activities linked to Chinese state-backed threat groups.
In this campaign, the threat actors distribute the HyperBro loader to install a Cobalt Strike beacon on the compromised device, providing remote access to the threat actors.
The loader uses DLL side-loading to launch a Cobalt Strike beacon in memory, leveraging a digitally signed binary from CyberArk's vfhost.
On a second variant of the attack, the hackers use a compromised Cobra DocGuard web server to drop an additional McAfee binary and load more Cobalt Strike shellcode using DLL side-loading again via 'mcvsocfg.
"EclecticIQ analysts assess with high confidence that the analyzed Hyperbro Loader, the malware downloader and the GO backdoor are very likely operated and developed by a PRC backed nation-state threat actor, due to victimology, infrastructure observed, malware code and resemblance with previously reported activity clusters," explains EclecticIQ. Symantec and ESET have both previously reported about China-sponsored APTs leveraging Cobra DocGuard servers for malware delivery, further strengthening the attribution hypothesis to Chinese hackers.