Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT41. Show all posts

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.

APT41 Strikes Again: Attacks Italian Industry Via Keyplug Malware


APT41:
A well-known Chinese cyberespionage group with a history of targeting various sectors globally. They are known for their sophisticated techniques and possible state backing.

KeyPlug: A modular backdoor malware allegedly used by APT41. It is written in C++ and functions on both Windows and Linux machines.

Brief overview

Cybersecurity experts at Yorai have discovered the threat. APT41 is a cyber threat group from China that is well-known for its extensive cyber espionage and cybercrime campaigns. It is also known by many aliases, including Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER. 

APT41 aims to steal confidential information, compromise systems for financial or strategic advantage, and target a wide range of industries, including government, manufacturing, technology, media, education, and gaming. 

Technical Analysis

The backdoor has been developed to target both Windows and Linux operative systems and uses different protocols to communicate which depend on the configuration of the malware sample itself.

The use of malware, phishing, supply chain attacks, and the exploitation of zero-day software vulnerabilities are some of the group's tactics, methods, and procedures (TTPs). Because of the global threat posed by their operations, cybersecurity experts must maintain ongoing awareness to reduce associated risks. 

Notably, the notorious modular backdoor malware, KEYPLUG, was separated by Tinexta Cyber's Yoroi malware ZLab team after a protracted and thorough examination. KEYPLUG is a C++ program that has been in use since at least June 2021. 

It is available for Linux and Windows. It is a powerful weapon in APT41's cyberattack toolbox because it supports several network protocols for command and control (C2) communication, such as HTTP, TCP, KCP over UDP, and WSS.

Malware explained

The first example of malware is an implant that targets Windows operating systems from Microsoft. The infection originates from a different part that uses the.NET framework to function as a loader compared to the implant itself. 

The purpose of this loader is to decrypt a different file that looks like an icon file. The popular symmetric encryption algorithm AES is used for the decryption, and keys are kept right there in the sample.

After the decryption process is finished, the newly created payload with its SHA256 hash can be examined. If one looks more closely at that malware sample, one can see that Mandiant's report "Does This Look Infected?" had a direct correlation with the virus's structure. An Overview of APT41 Aimed against US State Governments. The XOR key in this particular instance is 0x59.

Keyplug malware

The Keyplug malware looks to employ VMProtect and is a little more sophisticated when it comes to Linux. Numerous strings connected to the UPX packer were found during static analysis, although the automated decompression procedure was unsuccessful. 

This version relaunches using the syscall fork after completing the task of decoding the payload code during execution. Malware analysis becomes challenging with this strategy since it breaks the analyst's control flow.

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Chinese Hackers Steal U.S Covid-19 Relief Funds, Experts suspect APT41


Chinese Hackers steal US Covid funds

The US Secret Service alleged that a Chinese hacking group stole tens of millions of dollars from US Covid-19 relief funds. The incident has increased the threat that the US and its citizens are facing from threat actors.

State-sponsored cyber criminal group APT41 scammed and stole $20 million that was used as a pandemic relief during Covid-19. 

Experts say this is the first theft of APT41, it is known for cyber espionage and financial cyberattacks. But this time, it is confirmed that APT41 has targeted US government funds. The money consists of small business administration plans and unemployment insurance funds.  

It also shows APT41's capability to defraud the US on a bigger scale, given the depth of details it has retrieved about American citizens.

"Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on December 1. The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.ls it has retrieved about the American citizens," reports Bloomberg 

APT41 believed behind the theft

It is not clear if agencies believe APT41 compromised government systems or citizens' personal accounts to get the Covid-19 relief funds, or if they hacked into already stolen information to engage in an identity scam. 

Investigating agencies didn't disclose any more details about how the theft took place, saying  “with respect to a potentially ongoing investigation, we have no further publicly available information.” 

For individual US citizens, it may be hard to imagine themselves as victims of a states sponsored attack like China, however, the threat is rising.

“When you look at how many records they have, talk about massive fraud. If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all," said Linn Freedman, cybersecurity partner of Robinson Cole LLP. 

The threat scale has increased

Currently, not much information is available to determine the security loopholes that resulted in fraudulent activity related to the relief funds, it is believed that the money theft is not an isolated incident. 

Mike Hamilton, the chief information security officer at cybersecurity agency Critical Insight, believes that the cyberattack was a "beta test" of APT41's capabilities to defraud the American government and also that APT41 attacked the funds because it was easy to steal. 

Bloomberg reports, "APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022."