China-based AP10 target Taiwanese Financial Institutions using Quasar RAT

A China-based AP10 hacking group that is supported by the Chinese government has carried out a cyberattack on Taiwan’s financial sector by exploiting a vulnerability in a security software which is used by 80 percent of local financial institutions.

The attacks on Taiwan is believed to have been started by November 2021 and was happening until this month as per CyCraft Report.  The CyCraft has marked the incident as ‘Operation Cache Panda’ and linked it to Chinese cyber-espionage group called the APT10 (a state-sponsored organization).

CyCraft stated that they name of the product exploited by APT10 can’t be shared as there is a law enforcement investigation that is happening now and the vendor is working on a emergency patch to fix the situation across institutions.

China-based APT10 mask it with credential stuffing but infiltrate networks using RAT

The company first observed a credential stuffing attack in November 2021, where the hackers accessed some trading accounts and performed irregular mass transactions on the Hong Kong stock market.

However, after some detailed investigation and analysis from CyCraft it is found that the credential stuffing attack carried out by APT10 was just a mask to cover their main objectives. The China-based APT10 hacking group exploited a vulnerability in security software solution (name of the product is yet to be revealed), and deployed a ASPXCSharp Web Shell. The attackers then used a tool called Impacket and scanned the company’s network completely.

Once the scanning is done, the China-based AP10 organization used a unique technique called reflective code loading to run and execute malicious code on systems to install a version of Quasar RAT. With this RAT installed the hackers were able to remotely access the internal network and its systems using the reverse RDP tunnels. The details were gathered by CyCraft when one of the affected customers disclosed the case to the company.

China-based AP10 hackers and their new intrusion techniques

As per CyCraft, it was two separate cyberattacks on Taiwanese Financial Entities, and the hackers have used advanced obfuscation techniques that wasn’t seen earlier.

And considering the attack motive, digital footprints and the political situation between Taiwan and China, the objective doesn’t seem to be monetary benefits. It is clearly a geo-political warfare, and the intention is to cause hindrance to Taiwanese organizations and their operations.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Twitter, and Reddit.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.