Since January 2025, threat actors with unknown origins have been linked to a malicious campaign that primarily targets organizations in Japan.
According to Cisco Talos researcher Chetan Raghuprasad, in a recent report, the attackers have exploited the CVE-2024-4577 vulnerability, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
The attackers utilize plugins from the publicly available Cobalt Strike kit ‘TaoWu’ for post-exploitation activities.
The targets of this malicious activity include companies across various sectors in Japan, such as technology, telecommunications, entertainment, education, and e-commerce.
The attack begins with the exploitation of the CVE-2024-4577 vulnerability, allowing the threat actors to gain initial access and execute PowerShell scripts, which run the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint.
Following this, the attackers carry out reconnaissance, privilege escalation, and lateral movement using tools such as JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. Additional persistence is established via Windows Registry modifications, scheduled tasks, and custom services using the plugins of the Cobalt Strike kit called TaoWu.
To maintain stealth, the attackers erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. They then execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.
The attacks ultimately result in the hacking crew stealing passwords and NTLM hashes from the infected hosts. Further analysis of the command-and-control (C2) servers associated with the Cobalt Strike tool has revealed that the threat actor left the directory listings accessible over the internet, exposing the full suite of adversarial tools and frameworks hosted on the Alibaba cloud servers.
Notable among the tools used are:
- Browser Exploitation Framework (BeEF), a publicly available pentesting software for executing commands within the browser context
- Viper C2, a modular C2 framework that facilitates remote command execution and generation of Meterpreter reverse shell payloads
- Blue-Lotus, a JavaScript webshell cross-site scripting (XSS) attack framework that enables the creation of JavaScript web shell payloads to conduct XSS attacks, capture screenshots, obtain reverse shell, steal browser cookies, and create new accounts in the Content Management System (CMS)
Raghuprasad states that the attacker’s motive likely extends beyond just credential harvesting, given the observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks.
