HyperBro

HyperBro is a malicious software (malware) that has been utilized in a sophisticated cyber espionage campaign targeting semiconductor industries primarily in Taiwan, Hong Kong, and Singapore. This malware was discovered being used in conjunction with a lure purporting to be from the Taiwan Semiconductor Manufacturing Company (TSMC). The scheme involves the HyperBro loader variant using a digitally signed CyberArk binary for a DLL-Side Loading attack, resulting in the in-memory execution of a Cobalt Strike beacon. The Cobalt Strike beacon was then installed on victims' computers using the HyperBro loader. This campaign has been attributed to China by Dutch cybersecurity firm EclecticIQ due to the use of the HyperBro loader, which is associated with a state-backed group labeled Budworm or APT27. The deployment of HyperBro was observed to occur through spear-phishing emails, which delivered the HyperBro loader that displayed a file purportedly from TSMC while deploying a Cobalt Strike beacon via DLL side-loading. In March, Advanced Persistent Threat (APT) actors installed HyperBro on the Exchange Server and two other systems. The entire scheme, including the legitimate component IntgStat.exe, pcalocalresloader.dll library, and the encrypted file thumb.db, was used solely to download the HyperBro backdoor. Notably, shikata_ga_nai obfuscation was not applied in the case of Able Desktop. EclecticIQ analysts have expressed high confidence that the analyzed HyperBro Loader, the malware downloader, and the GO backdoor are very likely operated and developed by a People's Republic of China (PRC) backed nation-state threat actor. This assessment is based on victimology, observed infrastructure, malware code, and resemblance with previously reported activity clusters. To protect against such vulnerabilities, it is recommended to use Patch Manager Plus to quickly patch over 850 third-party applications.