APT41: A well-known Chinese cyberespionage group with a history of targeting various sectors globally. They are known for their sophisticated techniques and possible state backing.
KeyPlug: A modular backdoor malware allegedly used by APT41. It is written in C++ and functions on both Windows and Linux machines.
Brief overview
Cybersecurity experts at Yorai have discovered the threat. APT41 is a cyber threat group from China that is well-known for its extensive cyber espionage and cybercrime campaigns. It is also known by many aliases, including Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER.
APT41 aims to steal confidential information, compromise systems for financial or strategic advantage, and target a wide range of industries, including government, manufacturing, technology, media, education, and gaming.
Technical Analysis
The backdoor has been developed to target both Windows and Linux operative systems and uses different protocols to communicate which depend on the configuration of the malware sample itself.
The use of malware, phishing, supply chain attacks, and the exploitation of zero-day software vulnerabilities are some of the group's tactics, methods, and procedures (TTPs). Because of the global threat posed by their operations, cybersecurity experts must maintain ongoing awareness to reduce associated risks.
Notably, the notorious modular backdoor malware, KEYPLUG, was separated by Tinexta Cyber's Yoroi malware ZLab team after a protracted and thorough examination. KEYPLUG is a C++ program that has been in use since at least June 2021.
It is available for Linux and Windows. It is a powerful weapon in APT41's cyberattack toolbox because it supports several network protocols for command and control (C2) communication, such as HTTP, TCP, KCP over UDP, and WSS.
Malware explained
The first example of malware is an implant that targets Windows operating systems from Microsoft. The infection originates from a different part that uses the.NET framework to function as a loader compared to the implant itself.
The purpose of this loader is to decrypt a different file that looks like an icon file. The popular symmetric encryption algorithm AES is used for the decryption, and keys are kept right there in the sample.
After the decryption process is finished, the newly created payload with its SHA256 hash can be examined. If one looks more closely at that malware sample, one can see that Mandiant's report "Does This Look Infected?" had a direct correlation with the virus's structure. An Overview of APT41 Aimed against US State Governments. The XOR key in this particular instance is 0x59.
Keyplug malware
The Keyplug malware looks to employ VMProtect and is a little more sophisticated when it comes to Linux. Numerous strings connected to the UPX packer were found during static analysis, although the automated decompression procedure was unsuccessful.
This version relaunches using the syscall fork after completing the task of decoding the payload code during execution. Malware analysis becomes challenging with this strategy since it breaks the analyst's control flow.