Threat hunters have discovered a new threat actor called UAT-5918 that has been targeting critical infrastructure entities in Taiwan since at least 2023.
“UAT-5918, a threat actor believed to be driven by the goal of establishing long-term access for information theft, utilizes web shells and open-source tools to carry out post-compromise activities aimed at maintaining persistence in victim environments for information theft and credential harvesting,” explained researchers from Cisco Talos.
In addition to critical infrastructure, other targeted sectors include information technology, telecommunications, academia, and healthcare.
Described as an advanced persistent threat (APT) group aiming to establish persistent access in victim environments, UAT-5918 shares tactical similarities with various Chinese hacking groups such as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.
The attack chains orchestrated by the group involve exploiting N-day security vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access. This access is then used to deploy various open-source tools for network reconnaissance, system information gathering, and lateral movement.
UAT-5918’s post-exploitation tactics include using Fast Reverse Proxy (FRP) and Neo-reGeorge to create reverse proxy tunnels for accessing compromised endpoints via attacker-controlled remote hosts.
The threat actor has been using tools like Mimikatz, LaZagne, and BrowserDataLite to steal credentials and penetrate deeper into the target environment via RDP, WMIC, or Impact. Additionally, they have employed Chopper web shell, Crowdoor, and SparrowDoor, with the last two previously associated with a threat group called Earth Estries.
BrowserDataLite is specifically designed to extract login information, cookies, and browsing history from web browsers. The threat actor also engages in systematic data theft by searching local and shared drives for valuable data.
“The observed post-compromise activity indicates a manual approach with the primary objective being information theft,” stated the researchers. “This also involves deploying web shells on any identified sub-domains and internet-accessible servers to create multiple entry points into the victim organizations.”
