Smokescreen Supply Chain Attack Targets Taiwan Financial Sector, A Deeper Look

Operation Cache Panda: Zero-Day in Financial Software Exploited by China-Linked Threat Group

CyCraft Technology Corp
Published in
16 min readMar 1, 2022


Valentine’s Day this year saw the end of a truly toxic relationship — a prolonged supply chain attack targeting the Taiwan financial and securities trading sector that had begun back in November 2021. Evidence uncovered during a CyCraft incident response (IR) investigation ties these attacks to APT10 — a China state-sponsored hacker group widely believed to be associated with the Chinese Intelligence Agency, the Ministry of State Security (MSS).

The November 2021 attacks disrupted online trading, causing an uproar among the Taiwan public. At least two securities traders had to halt trading due to the volume of unusual purchases. Targeted organizations absorbed the financial losses and suffered the loss of customer trust. In addition, these attacks influenced and manipulated stock prices, damaging financial transaction credibility and honesty. If left unnoticed, these attacks could have had a devastating impact on the financial sector.

The November attacks were originally attributed to password mismanagement and credential stuffing; however, following a security incident response (IR) investigation conducted by CyCraft into a second wave of attacks peaking from the 10th to the 13th of February 2022, new evidence uncovered the exploitation of a severe vulnerability in commonly used financial software aided by the newly identified hacking technique, Reflective Code Loading.

The CyCraft IR investigation uncovered evidence suggesting credential stuffing could have been just a smokescreen to obfuscate other motives and malicious activity.

The true objective of this sophisticated zero-day supply chain attack (dubbed Operation Cache Panda) does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data (full name, home address, email, credit card numbers, passport number, date of birth, etc.), damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.

The offensive launched against Taiwan financial institutions has become far more severe than initially assumed. The impact of this sophisticated zero-day supply chain attack continues to exert influence. The threat generated from this attack campaign should not be underestimated in scope or potential to harm.

“Our findings into Operation Cache Panda found that the attackers not only made extensive use of DotNet malware and a variety of obfuscation and evasion tools and techniques but also leveraged a novel attack approach with their use of reflective code loading.

It is worth noting that according to past infosec research, China-linked APT attacks have rarely been financially motivated. On the surface, the attack behavior demonstrated in Cache Panda displays a potential shift in that behavior pattern; however, underneath the market manipulation resides the insidious attack behavior that Taiwan has seen time and time again. This dynamic attack behavior coupled with the difficulty in detecting these attacks, the scope and impact radius of these attacks become very serious.

This wasn’t one simple intrusion; this was a series of multiple attacks orchestrated into one campaign that started last year. A number of institutions may have been compromised in this campaign. There has been severe damage to not only the reputation of Taiwan financial institutions but also to investor confidence during a period of economic growth for Taiwan.

It is strongly recommended that all relevant institutions take stricter precautions, patch loopholes, remove possible backdoors and Trojans, and seek immediate, thorough security assessments from professional cybersecurity firms. Stopping the spread and fallout from this security disaster should be considered a national priority.”
— Birdman Chiu, CyCraft Founder & CTO

Jeremy “Birdman” Chiu, CyCraft Founder & CTO, Cybersecurity
Jeremy “Birdman” Chiu, CyCraft Founder & CTO

Incident Overview

At 5:27 p.m. on Thursday, November 25 of last year, a number of Taiwan financial institutions and securities traders informed the Taiwan Stock Exchange Corporation (TWSE) and the Financial Supervisory Commission (FSC) that they would be suspending online transactions due to suspicious behavior — large, unusual purchases of Hong Kong stocks via customer trading accounts — as a result of a possible cyberattack. (The stocks were purchased on the Hong Kong stock exchange by customer accounts of Taiwan securities brokers via their Hong Kong subsidiaries.)

After several weeks, IR investigations theorized that the November attacks were most likely due to password mismanagement and credential stuffing; however, the findings were not conclusive and suggested there may have been other causes. Several security countermeasures were taken, including forced password updates and multi-factor authentication.

The November attacks sent shockwaves through the Taiwan financial sector and were soon followed by a frenzy of stricter cybersecurity protocols and countermeasures. Highlighted news articles (in Traditional Chinese) are listed here for your reference:

Then, from February 10 to 13, a number of Taiwan financial institutions and securities traders were targeted yet again — some being victims of the November 2021 attacks and others CyCraft customers. CyCraft MDR/EDR cybersecurity solutions observed suspicious login events and files (such as PresentationCache[.]exe in Fig. 1 below) on customer servers and immediately began a detailed investigation. After three days, CyCraft completed IR investigations into both the November 2021 and February 2022 attacks.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 1 — CyCraft MDR’s first detection, auto triage, and alert sent for the malicious executable, PresentationCache[.]exe

Neither the November 2021 nor February 2022 attacks were solely the result of a credential stuffing attack. Recently uncovered evidence points to a zero-day supply chain attack targeting specific financial software.

A vulnerability existing in financial software with a majority market share among Taiwan securities traders was exploited by the attackers, granting them high-level access to multiple firms and allowing them to deploy several backdoors with each firm. Further investigation showed that what was initially presumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not previously observed.

Analysis of the attacker C2 domain, the QuasarRAT backdoor malware, the Hong Kong source IP, and the attacker behavior observed in the attacks has led to a high degree of confidence in attributing the attacks to a China-based threat group and a medium degree of confidence in the specific attribution of APT10. The objective of Cache Panda does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value personally identifiable information (PII) data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.

These attacks are the latest in a series of attacks against Taiwan by China-based threat groups. In early 2020, CyCraft curtailed a year-long attack campaign targeting Taiwan’s semiconductor ecosystem; this attack was attributed to another China-based threat group, Chimera. Again, in April 2020, a CyCraft incident response (IR) investigation into a government agency breach uncovered Waterbear malware — malware designed and distributed by the China-based threat group BlackTech.

The frequency of cyberattacks targeting Taiwan institutions surged by 38% in 2021, reaching an average of 2,644 attacks per week, Taiwan News reports. The global average is 925 attacks per week. This disparity is due to Taiwan’s unique geopolitical situation, high-tech economy, and mature communications infrastructure.


This Advanced Persistent Threat (APT), known as APT10 by MITRE ATT&CK nomenclature, has been active since at least 2006. Common targets of APT10 include healthcare, defense, finance, maritime, biotechnology, energy, and governmental organizations, with an emphasis on targets in Japan and Taiwan. APT10 is widely believed to be associated with the Chinese Intelligence Agency, the Ministry of State Security (MSS).

In 2018, the Federal Bureau of Investigation (FBI) of the U.S. Department of Justice charged two members of APT10, Zhu Hua and Zhang Shilong, with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The Department of Justice indictment charges that these individuals acted in association with the Tianjin State Security Bureau and had been engaging in global computer intrusions for more than a decade.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 2 — CyberTotal Cyber Threat Intelligence Platform Quickly Detected APT10 Activity

Attack Method Analysis

The attackers exploited the website service vulnerability of the software system management interface. First, they uploaded ASPXCSharp WebShell — commonly used by Chinese threat groups — to control the website host. Then, they used the common intranet penetration tool Impacket to scan intranet devices and deploy the DotNet backdoor program, intending to exfiltrate data of the compromised device.

The attackers made extensive use of the dynamic loading of DotNet Assembly files. Leveraging the recently added adversarial technique Reflective Code Loading (MITRE ATT&CK T1620), the attackers dynamically injected malicious DotNet Assembly code into the system’s legitimate executable. Project Donut can compile Shellcode for different platforms and execute DotNet Assembly through In-Memory. Further analysis uncovered some SharpSploit codes were used to inject DotNet malware, which could obscure non-malicious modules, thereby reducing the probability of detection by antivirus software.

“Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).

Reflective code injection is very similar to Process Injection except that the ‘injection’ loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.”
Reflective Code Loading (T1620) MITRE ATT&CK

Afterward, the DotNet malware would be used with Impacket to spread laterally to the internal host through Remote Service/WMI. Once the control of the internal host was successfully obtained, the Reverse Tunnel RDP would be established to make it easier for the attackers to operate the hacked host through the remote desktop.

Deeper analysis found the attackers used the Chinese cloud file sharing service “Uncle Wen” (文叔叔, to download related tools, which would aid in achieving acceptable levels of convenience and anonymity. However, due to this, it was easier for us to track them when they logged into the compromised host via RDP.

The targeted financial software system is used by most financial institutions in Taiwan. Following news and cyber threat intelligence sources, it is known that a number of securities traders have been affected to varying degrees. Affected financial institutions are advised to patch the software system vulnerabilities immediately, limit the access scope of the web management interface, and take an inventory of the IoCs provided by CyCraft at the end of this article, including network IP, file HASH, and malware characteristics.

During the second peak of attacks in February, targeted CyCraft MDR/EDR customers were able to easily detect and monitor malicious activities, as shown in Figure 1 (pictured again below for your ease of reference).

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 1 — CyCraft MDR’s first detection, auto triage, and alert sent for the malicious executable, PresentationCache[.]exe
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 3 — CyberTotal Threat Intelligence Surveillance platform detects APT10 activity

Analysis of Attack Techniques

Phase 1 — Initial Access and Establishment of Entry Points

The WebShell used in these attacks is also used in open-source projects. This particular WebShell improves the Ant Sword WebShell framework (As-Exploits) commonly used by Chinese threat groups, enhances the attacker’s ability to dynamically load and execute DotNet Assembly through GetType[0] Obtain, constructs the Run type of the payload to ensure that no malicious files or Web access records would be left, as shown in Figure 4 below.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 4 — Ant Sword As-Exploits WebShell

Phase 2 — Lateral Movement & Lurking

The attackers used 6 individual malware to carry out this attack (only 3 landed, and the rest were dynamically downloaded and loaded). Each was responsible for different functions; the overall process is shown in Figure 5 below.

PresentationCache[.]exe is the QuasarRAT loader — an open-source backdoor used by APT10 in past attack campaigns. First, it registered itself as a service so that it could reside in the system and load two DLL files, PresentationFrom[.]dll and PresentationStatic[.]dll.

When PresentationCache[.]exe was executed, it grabbed the x86[.]bin and DogCheck[.]bin files from the external file download server and injected these two shellcode files into other processes. These two shellcodes dynamically loaded the DotNET execution environment and loaded the attacker’s DotNet Assembly for subsequent actions.

Among them, x86[.]bin was the main body of the backdoor, which was later changed to the notorious DotNet backdoor QuasarRAT. DogCheck[.]bin was the gatekeeper, responsible for checking the connection status of the backdoor. PresentationCache[.]exe would then be restarted. This ensured that x86[.]bin would only reside in memory, and the main malware would not land. DogCheck[.]bin ensured the operation of the backdoor and strengthened the overall control of the compromised device.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 5 — Malware architecture and activity analysis

PresentationCache Malware Technical Analysis

Cache Panda leveraged a large number of DotNET related attack techniques, including the use of DotNet Assembly Loader and DotNet Obfuscator, which further increased the difficulty of analysis and investigation. PresentationCache used the open-source project Donut (shown in Figure 6 below), most likely due to its ability to compile Shellcode for different platforms and dynamically load DotNet Assembly.

Executing DotNet Assembly In-Memory can achieve the effect of a fileless attack, greatly reducing the chance of leaving files. This complicated the investigation process as the main body of the malware could not be found due to the data in memory having disappeared.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 6 — Comparison of malware and Donut source code

DotNet Reactor, a commercial DotNET obfuscation tool, was also used to hinder reverse engineering. DotNet Reactor obfuscated the modification of the program control process and also generated DotNET IL dynamically; the program would be solved and executed during the dynamic period. To avoid static analysis, the attackers used many obfuscation techniques, such as using DES CBC to encrypt part of the string to avoid detection (shown in Figure 7 below).

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 7 — DES CBC encrypted part of the string

Cache Panda also leveraged a number of defense evasion techniques to avoid detection and prolong persistence. One technique used was to include the malware within Windows Defender’s allowlist (Figure 8).

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 8 — It’s easier to crash the party when you can add yourself to Windows Defender’s allowlist

PresentationCache also checked for SbieDLL.dll to confirm whether or not it was currently located in a sandbox environment of Sandboxie (shown in Figure 9). If so, the malware would stop execution immediately to avoid sandbox analysis.

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 9 — Check SbieDLL.dll

Cache Panda used the C# implementation and open-source Quasar RAT as the core of the backdoor. Through leveraging a number of open-source or commercial software, the attackers reduced their own malware development time as well as the risk of being associated with one particular malware.

Highlighted Findings

  1. The attackers leveraged a zero-day RCE (remote code execution) vulnerability against a widely used financial software. As this zero-day RCE vulnerability has the potential to severely impact a number of financial organizations, we cannot disclose more details at this time.
  2. With a high degree of confidence, the scope of Cache Panda extends to several major securities traders as the software is ubiquitous.
  3. The attackers were able to leverage a zero-day RCE vulnerability in widely used financial software to execute code on the firms’ servers, move laterally within the system via remote desktop and some novel techniques such as reflective code loading, and collect customer account credentials. This suggests a potential link between these stolen credentials and the sudden Nov 2021 spike in purchases of Hong Kong stocks on the open market; however, it is not conclusive. Although with these stolen credentials, it is entirely possible that the attackers could have launched similar attacks within this same time period.
  4. The objective of Cache Panda does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.
  5. The impact of the attack has not yet reached its full extent. In our visibility, at least two securities brokers had to halt trading due to the large volume of unusual purchases. According to news agencies, there may be more. Targeted organizations had to absorb financial losses. Millions of customers were forced to update passwords and enable MFA.
  6. Reflective Code Loading was added to the MITRE ATT&CK framework in October of last year and was observed in the wild in November. It is recommended that defenders stay up-to-date with the latest ATT&CK framework updates, especially techniques targeting their sector.
  7. China-linked APT attacks are rarely financially motivated. The attack behavior demonstrated in Cache Panda shows a potential shift in that known behavior pattern.
  8. It is strongly recommended that all relevant organizations take stricter precautions, patch loopholes, remove possible backdoors and Trojans, and seek immediate, thorough security assessments from professional cybersecurity firms.
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity, MITRE ATT&CK Framework

Recommended Mitigations

  1. Check and block whether the IoCs listed below and confirm your own defense can detect such methods.
  2. Check whether the host of the outsourced information system contains the As-Exploits web backdoor.
  3. Network segments should be divided and partitioned; access between zones should be managed — especially when connecting with external systems. Strict attention must be paid to API security design. Please refer to the OWASP API Security Guidelines.
  4. A midfield defense line for Detection and Response should be established, long-term monitoring of the internal field, and early detection of attacks. Cybersecurity solutions such as EDR/MDR are critical for detecting strains and monitoring during the eradication and remediation processes.
  5. With a high degree of confidence, the root cause of these attacks is most likely that the commonly used financial software systems related to financial services had not been thoroughly researched and scanned for vulnerabilities. Therefore, more attention must be paid to the security of the supply chain and development processes, including stricter and multiple system security verification procedures via vulnerability assessments, detailed lists of patched vulnerabilities, and the employment of professional PSIRT teams.
  6. These attacks used a C2 domain base used by a previous threat group, highlighting the importance of threat intelligence. Through the combination of the proper threat intelligence, tools, and security solutions, it is possible to detect clues of an upcoming or ongoing attack.
  7. Enterprises should strengthen their own cybersecurity posture from understanding MITRE ATT&CK and the Cyber Defense Matrix (CDM) framework to building a security cycle that strengthens their own posture from the experience of previous security incidents. The implementation of multi-factor authentication or even a zero-trust architecture goes a long way to limiting the maneuverability for attackers.







Everything Starts From Security

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft MDR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.

Engage with CyCraft

Blog | LinkedIn | Twitter | Facebook | CyCraft

CyCraft secures government agencies, financial institutions, semiconductor manufacturing, police and defense organizations, Fortune Global 500 firms, airlines, telecommunications, SMEs, and more by being Fast / Accurate / Simple / Thorough.

CyCraft automates information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateways (TIG), network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. CyCraft also collaborates with other cybersecurity organizations, including the International Forum of Incident Response & Security Teams (FIRST) and the Taiwan Cybersecurity Center of Excellence (CCoE).

Meet your modern cyber defense needs by engaging CyCraft at

Additional Resources



CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at