New Cyber Threat Targets Taiwan: Inside the Anthem Web Shell and HemiGate Backdoor
A sophisticated cyber campaign is actively targeting web infrastructure in Taiwan, deploying a custom-built toolset designed for espionage and long-term network persistence. A threat actor, tracked as UAT-7237, has been observed leveraging a powerful combination of a web shell and a backdoor to compromise vulnerable servers, execute commands, and exfiltrate sensitive data.
This multi-stage attack highlights a growing trend of advanced persistent threats (APTs) developing specialized malware to achieve their objectives with precision and stealth. Understanding their methods is the first step toward building a more resilient defense.
The Two-Pronged Attack Strategy
The success of this campaign relies on a two-part malware system. The attackers first gain initial access to a target server, often by exploiting known vulnerabilities in public-facing web applications. Once inside, they deploy their primary tools.
The “Anthem” Web Shell: The first tool deployed is a custom web shell named Anthem. A web shell is a malicious script that enables a remote attacker to control a web server. Anthem provides the attackers with initial access and a powerful command-and-control interface. Its key capabilities include:
- Comprehensive file management (uploading, downloading, deleting files).
- Direct command execution on the compromised server.
- Establishing a remote, interactive terminal for deeper system control.
The “HemiGate” Backdoor: While the Anthem web shell is effective, it can be noisy and easily detected. To secure a more permanent and stealthy foothold, the attackers use Anthem to install a second, more sophisticated tool: the HemiGate backdoor. HemiGate is a custom TCP backdoor designed for long-term, covert access. It operates quietly in the background and is equipped with advanced functions, such as:
- Creating a reverse shell to give attackers persistent remote access.
- Downloading additional malicious payloads or tools.
- Uploading stolen data to an attacker-controlled server.
- Executing system commands without relying on the more visible web shell.
Understanding the Attack Chain
The attack follows a logical and methodical progression, demonstrating the calculated nature of the threat actor.
- Initial Compromise: The attackers scan for and exploit vulnerabilities in web servers and applications to gain their first entry point.
- Web Shell Deployment: Once inside, they upload the Anthem web shell to establish control and begin internal reconnaissance.
- Privilege Escalation & Persistence: Using Anthem, the attackers deploy the HemiGate backdoor. This step is critical for ensuring they maintain access even if the initial vulnerability is patched or the web shell is discovered and removed.
- Lateral Movement & Data Exfiltration: With persistent access secured via HemiGate, the attackers can move through the network, identify valuable data, and exfiltrate it to their own servers.
How to Defend Your Web Infrastructure
This campaign underscores the critical importance of a proactive and multi-layered security posture. Organizations, especially those with public-facing web infrastructure, must take immediate steps to mitigate these types of threats.
Here are actionable security recommendations to protect your assets:
- Implement Robust Patch Management: The initial entry point for these attacks is often an unpatched vulnerability. Regularly and promptly update all software, applications, and operating systems to close known security gaps.
- Deploy a Web Application Firewall (WAF): A WAF can help detect and block common web-based attacks, including the initial exploitation attempts used to upload web shells.
- Conduct Regular Security Audits: Proactively hunt for threats on your network. Scan your web directories for unrecognized or suspicious files, as these can often be indicators of a web shell like Anthem.
- Monitor Network Traffic for Anomalies: Keep a close watch on outbound network connections. A backdoor like HemiGate will communicate with an external command-and-control server. Unusual traffic patterns or connections to unknown IP addresses are major red flags.
- Enforce the Principle of Least Privilege: Ensure that web server accounts have only the minimum permissions necessary to function. This can limit an attacker’s ability to execute commands or access sensitive parts of the system even if a web shell is successfully deployed.
By understanding the tools and tactics employed by threat actors like UAT-7237, organizations can better anticipate their moves and fortify their defenses against these advanced, targeted cyber attacks. Vigilance and proactive security are no longer optional—they are essential for survival in today’s digital landscape.
Source: https://securityaffairs.com/181195/apt/taiwan-web-infrastructure-targeted-by-apt-uat-7237-with-custom-toolset.html
