Attacks by Prolific APT41 Tied to Chinese Government
Chinese state-sponsored APT41 is behind more cyberattack campaigns than previously known, according to new research from the BlackBerry Research and Intelligence Unit.
Inspired by details on Cobalt Strike activity that used a bespoke, malleable command-and-control (C2) profile previously documented by FireEye, the researchers chased down malware campaigns that used Cobalt Strike with a bespoke malleable C&C. They discovered previously unnoticed links between attacks to reveal a campaign that plays off people’s fears about the pandemic.
“We were able to uncover what we believe is additional APT41 infrastructure by taking these unique aspects and following the trail of digital breadcrumbs,” BlackBerry researchers said. “Overlapping indicators of compromise (IoCs) linked the trail of our findings to those of two additional campaigns documented by Positive Technologies and Prevailion, respectively, as Higaisa or Winnti? APT41 backdoors, old and new, and The Gh0st Remains the Same.”
Once the threat is on a user’s machine, it “blends into the digital woodwork by using its own customized profile to hide its network traffic,” the researchers said.
The potential reach of APT41 is tremendous and effectively tracking the group’s activities requires collaboration among security firms. “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the BlackBerry researchers wrote. “And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide.”
Worth noting, APT 41’s activity “shows the recent, ongoing trend for various criminal and nation-state threat actors who continue to adopt Cobalt Strike as a method of attack,” said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. “With such widespread use, attribution becomes difficult if based solely on a tool, and this research shows how indicators of compromise can be important in an investigation.”
The group “is a prolific actor with an extensive cross-platform campaign,” said Kristina Balaam, senior security intelligence engineer at Lookout. “We have witnessed numerous attempts by the threat actor to disguise malicious functionality within apps masquerading as legitimate mobile device tools.” Lookout has also observed the group attempting “to disguise network traffic to C2 infrastructure, as is discussed in the BlackBerry report,” said Balaam. “Much of the APT41 infrastructure we’ve identified in Android malware campaigns hosts malicious EXE and PDF files in addition to managing command and control capabilities for the malware.”
Lookout also has witnessed APT41’s use of the exploits detailed by BlackBerry in the group’s attacks against mobile device users, said Balaam, noting that “much of their proprietary tooling leverages known rooting tools and exploits in order to gain escalated privileges and access to sensitive information on the device.”
Among the group’s targets are victims in India who were lured by messages supposedly from the Indian government about tax legislation. “These lures were part of an execution chain that had the goal of loading and executing a Cobalt Strike Beacon on a victim’s network,” researchers said. “The phishing lures and attachments also fit tactics that were previously used in infection vectors by APT41. These findings show that the APT41 group is still regularly conducting new campaigns and that they will likely continue to do so in the future.”
Nikkel found it compelling “that APT41 seems to be still using very tried-and-true tactics in social engineering and malware delivery.” While weaponized documents and hidden Powershell scripts are not new, “the fact this group continues to use them underscores the idea that the tactics still work,” he said. “Defenders should be looking for strange or suspicious domains in network traffic that abuse trust, such as spoofed Microsoft or similar provider and cloud domains.”
