Skip Navigation

October 6, 2023 |

Chinese state-sponsored cyber actors target semiconductor manufacturers with Cobalt Strike

Loading table of contents...

Espionage-motivated hackers believed to be based in China and sponsored by the Chinese government, have been observed targeting semiconductor manufacturers based in Chinese-speaking regions.

The attack begins with a Taiwan Semiconductor Manufacturing Company (TSMC)-themed phishing email that contains either the HyperBro loader or a newly discovered loader, "ChargeWeapon.”

Both loaders are configured to download and install Cobalt Strike, a publicly available malware. The encrypted Cobalt Strike payload is decrypted and executed into memory by DLL side-loading legitimate digitally signed files, a technique used to evade anti-virus detection.

The loader also displays the following PDF so that the user is meant to believe they opened a legitimate document:

To increase its stealth, the Cobalt Strike implant is configured with a hardcoded command and control (C2) IP address disguised as a jQuery, which typically bypasses most firewalls.

Researchers attributed the campaign to a China-backed nation-state threat actor, due to victimology, infrastructure observed, malware code and resemblance with previously reported activity clusters.

Source: Bleeping Computer

Analysis

Information and intelligence regarding semiconductors would likely be one of the highest-priority intelligence requirements for the Chinese Intelligence Services (CIS). It’s expected that China would target manufacturers close to its border with Chinese-language phishing emails and other attacks to satisfy these requirements.

However, it’s interesting that a Hong Kong-based manufacturer was among the targeted companies, given that Hong Kong is on Chinese soil. Rather than conduct this attack, Chinese authorities could have used the government’s Cyber Security Law that essentially allows the CIS to obtain data from any system that resides within China or is owned by a Chinese organization.

This is indicative of a threat actor who wanted to take a more covert approach and potentially avoid the bureaucratic complications of invoking a law.

Mitigation

Covalence continuously monitors for automatically creates AROs for potential threats, such as the detection of Cobalt Strike and other implants. Covalence users are encouraged to review and action these AROs as soon as possible.

Related articles