Several organizations operating in the global logistics and shipping, media and entertainment, technology and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey and the United Kingdom have become target of a “sustained campaign” by the prolific China-based hacking group APT41; after APT41 had recently made an outcry to bolster its malware arsenal, it is back at it again.
What APT41 did to infrastructure
“APT41 has managed to infiltrate and maintain prolonged, unauthorized access to the networks of numerous victims since 2023, allowing them to extract sensitive data for an extended period.“, has declared Google-owned Mandiant in a new report published Thursday.
The threat intelligence firm described the APT41 group as unique among Chinese cybercriminal groups for its use of “non-public malware typically reserved for espionage operations in activities that appear to go beyond the scope of state-sponsored missions.”
What is the modus operandi of APT41 in this attack?
The attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP) and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, distribute additional payloads and exfiltrate data of interest.
The web shells act as a conduit to discharge the DUSTPAN dropper (also known as the StealthVector) responsible for loading the Cobalt Strike Beacon for command and control (C2) communications, followed by deployment of the DUSTTRAP dropper after lateral movement.
DUSTTRAP, for his part, It is configured to decrypt a malicious payload and execute it in memorywhich in turn establishes contact with an attacker-controlled server or a compromised Google Workspace account in an attempt to hide its malicious activities.
Google said the identified Workspace accounts have been remediated to prevent unauthorized access; however, did not reveal how many accounts were affected.
The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle databases to a local text file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.
APT41 used various malware families
It is worth noting that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP share similarities with those that have been coded as DodgeBox and MoonWalk respectively by Zscaler ThreatLabz.
“DUSTTRAP is a multi-stage plugin framework with multiple components“, Mandiant researchers said, adding that they have identified at least 15 plugins capable of executing shell commands, file system operations, enumerating and terminating processes, capturing keystrokes and screenshots, gathering system information, and modifying the Windows Registry.
It is also designed to probe remote hosts, perform Domain Name System (DNS) lookups, list remote desktop sessions, upload files, and conduct various manipulations on Microsoft Active Directory.
“The DUSTTRAP malware and its associated components observed during the intrusion were signed with allegedly stolen code signing certificates,” the company said. “One of the code signing certificates appeared to be related to a South Korean company operating in the video game industry.“
In addition to APT41, the hacker group GhostEmperor also makes its presence felt again
The revelation comes as Israeli cybersecurity firm Sygnia has revealed details of a cyberattack campaign conducted by a sophisticated China-linked cybercriminal group called GhostEmperor to distribute a variant of the Demodex rootkit.
The exact method used to compromise the targets is currently unclear, although the group has previously been observed exploiting known flaws in internet-facing applications; Initial login facilitates the execution of a Windows batch script, which drops a Cabinet archive (CAB) file to eventually launch a main plant module.
The implant is equipped to handle C2 communications and install the Demodex kernel rootkit using an open-source project called Cheat Engine for bypass the Windows Driver Signature Enforcement (DSE) mechanism.
“GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and uses several methods to hinder the analysis process“, said security researcher Dor Nizar.
#APT41 #Hacker #Group #Attacks #Countries #Including #Italy