KeyPlug: A modular backdoor malware allegedly used by APT41. It is written in C++ and functions on both Windows and Linux machines.
Cybersecurity experts at Yorai have discovered the threat. APT41 is a cyber threat group from China that is well-known for its extensive cyber espionage and cybercrime campaigns. It is also known by many aliases, including Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER.
APT41 aims to steal confidential information, compromise systems for financial or strategic advantage, and target a wide range of industries, including government, manufacturing, technology, media, education, and gaming.
The backdoor has been developed to target both Windows and Linux operative systems and uses different protocols to communicate which depend on the configuration of the malware sample itself.
The use of malware, phishing, supply chain attacks, and the exploitation of zero-day software vulnerabilities are some of the group's tactics, methods, and procedures (TTPs). Because of the global threat posed by their operations, cybersecurity experts must maintain ongoing awareness to reduce associated risks.
Notably, the notorious modular backdoor malware, KEYPLUG, was separated by Tinexta Cyber's Yoroi malware ZLab team after a protracted and thorough examination. KEYPLUG is a C++ program that has been in use since at least June 2021.
It is available for Linux and Windows. It is a powerful weapon in APT41's cyberattack toolbox because it supports several network protocols for command and control (C2) communication, such as HTTP, TCP, KCP over UDP, and WSS.
The first example of malware is an implant that targets Windows operating systems from Microsoft. The infection originates from a different part that uses the.NET framework to function as a loader compared to the implant itself.
The purpose of this loader is to decrypt a different file that looks like an icon file. The popular symmetric encryption algorithm AES is used for the decryption, and keys are kept right there in the sample.
After the decryption process is finished, the newly created payload with its SHA256 hash can be examined. If one looks more closely at that malware sample, one can see that Mandiant's report "Does This Look Infected?" had a direct correlation with the virus's structure. An Overview of APT41 Aimed against US State Governments. The XOR key in this particular instance is 0x59.
The Keyplug malware looks to employ VMProtect and is a little more sophisticated when it comes to Linux. Numerous strings connected to the UPX packer were found during static analysis, although the automated decompression procedure was unsuccessful.
This version relaunches using the syscall fork after completing the task of decoding the payload code during execution. Malware analysis becomes challenging with this strategy since it breaks the analyst's control flow.
The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector.
The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration.
In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs.
It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections.
Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators.
Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.
The US Secret Service alleged that a Chinese hacking group stole tens of millions of dollars from US Covid-19 relief funds. The incident has increased the threat that the US and its citizens are facing from threat actors.
State-sponsored cyber criminal group APT41 scammed and stole $20 million that was used as a pandemic relief during Covid-19.
Experts say this is the first theft of APT41, it is known for cyber espionage and financial cyberattacks. But this time, it is confirmed that APT41 has targeted US government funds. The money consists of small business administration plans and unemployment insurance funds.
It also shows APT41's capability to defraud the US on a bigger scale, given the depth of details it has retrieved about American citizens.
"Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on December 1. The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.ls it has retrieved about the American citizens," reports Bloomberg
APT41 believed behind the theft
It is not clear if agencies believe APT41 compromised government systems or citizens' personal accounts to get the Covid-19 relief funds, or if they hacked into already stolen information to engage in an identity scam.
Investigating agencies didn't disclose any more details about how the theft took place, saying “with respect to a potentially ongoing investigation, we have no further publicly available information.”
For individual US citizens, it may be hard to imagine themselves as victims of a states sponsored attack like China, however, the threat is rising.
“When you look at how many records they have, talk about massive fraud. If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all," said Linn Freedman, cybersecurity partner of Robinson Cole LLP.
Currently, not much information is available to determine the security loopholes that resulted in fraudulent activity related to the relief funds, it is believed that the money theft is not an isolated incident.
Mike Hamilton, the chief information security officer at cybersecurity agency Critical Insight, believes that the cyberattack was a "beta test" of APT41's capabilities to defraud the American government and also that APT41 attacked the funds because it was easy to steal.
Bloomberg reports, "APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022."