UAT-5918 Overlapping TTPs from Critical APT Groups, Attacks with An Arsenal of LOLBins & External Hacking Tools

Intrusions targeting critical infrastructure organizations in Taiwan have been uncovered by Cisco Talos researchers, attributed to a threat group tracked as UAT-5918. This group has been operating since at least 2023, focusing on long-term access and intelligence collection. Concerningly, the group’s tactics and techniques bear a resemblance to other known APTs, as Cisco Talos reports the group's "tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon, and Dalbit." UAT-5918 gains initial access by exploiting unpatched web and application servers exposed to the internet. Their targets primarily include entities in Taiwan within critical infrastructure, healthcare, technology, and telecommunications sectors. The group uses a variety of external tools, including FScan, Metasploit, Impacket, China Chopper web shell, and LaZagne, alongside Living-off-the-Land Binaries (LOLBins) to facilitate their intrusion.

Once access is established, Talos observed UAT-5918 initiating reconnaissance using built-in system commands to enumerate user accounts, network configurations, and system details. Commands such as "ping," "net user," "systeminfo," "arp -a," "route print," "tasklist," and "netstat -ano" are executed to gather information about the environment. The attackers also query system drives using commands such as "wmic diskdrive get partitions" and "fsutil fsinfo drives." Credential access is achieved using "cmdkey" to list stored credentials, along with PowerShell modifications such as "Add-MpPreference" to add exclusions. Expanding their arsenal to further their attack, the threat actors deploy a range of web shells, tunneling tools, and credential harvesters, often compressed and extracted using WinRAR or 7-Zip.

The external tools deployed by UAT-5918 conduct network scanning and lateral movement. The attackers use port scanning tools like FScan, In-Swor, PortBrute, and Netspy to scan for open ports, including 21, 22, 80, 443, 445, 3389, and database-related ports like 5432, 3306, and 1433. Once high-value endpoints are identified, the attackers establish persistence by creating new administrative user accounts. Credential theft is further facilitated by tools such as Mimikatz and LaZagne, along with "reg save" to gather registry values from the SAM, SECURITY, and SYSTEM hives, and "findstr" to search for files of potential value. The attackers also leverage Impacket’s "wmiexec.py" for lateral movement, copying their tools to administrative shares using "cmd.exe /Q /c copy" commands and remotely executing payloads using "mstsc.exe" and scripts.

For data exfiltration, UAT-5918 collects and stages sensitive information before transferring it to attacker-controlled infrastructure. SQL database backups are created using "SQLCMD.EXE," and file searches focus on extracting credentials, system logs, and confidential project files. Additionally, browser credential dumpers such as "BrowserDataLite" are used to collect authentication details from web browsers. With UAT-5918’s reliance on publicly available tools and LOLBins, along with its overlaps with multiple known threat groups, detecting and monitoring their activity will be valuable for organizations beyond UAT-5918’s specific victimology.