This blog article examines the technical aspects of the malware attack chain, malware delivery methods, and other recent APT41 operations. Additionally, we discuss indicators of compromise (IOCs) to assist security practitioners in defending against similar attacks. Additionally, we learn how GTIG thwarted this attempt by using customized detection signatures, stopping attacker-controlled infrastructure, and enhancing Safe Browsing with new safeguards.
APT41
APT41 is a Chinese cyber threat group that is known for doing both independent, monetarily driven cybercrime and state-sponsored espionage. The group is known for using advanced espionage software for its own benefit. It conducts strategic espionage in high-tech and healthcare to promote China’s economic goals and targets the video gaming industry for profit. Using malware and methods including supply chain intrusions and spear-phishing, APT41 is skilled, persistent, and agile. The probable government links to APT41’s illegal acts highlight the complex interplay between cybercrime and government.
Chinese Cyber Group APT41 Is Blurring the Boundaries Between Personal Crime and State Espionage
According to a thorough report by FireEye Intelligence, which was disclosed in a Google Cloud Blog post, a well-known Chinese cyber threat cell called APT41 is allegedly carrying out state-sponsored espionage activity in tandem with financially motivated operations. Among the actors headquartered in China that are being watched, this group is noteworthy since it seems to use private malware, which is usually only used for espionage campaigns, for activities that may be carried out for personal benefit. Since 2014, there is evidence that APT41 has been conducting simultaneous cybercrime and cyberespionage operations.
In general, APT41’s espionage targeting is in line with China’s five-year objectives for economic growth. Their strategic access to companies in the telecommunications, high-tech, and healthcare industries has been developed and maintained. The organization also carries out surveillance and tracks people, as evidenced by its frequent targeting of telecom companies’ call log data and operations against news/media corporations, travel agencies, and higher education institutions. In one case, APT41 appears to have conducted reconnaissance for security purposes by targeting a hotel’s reservation systems before Chinese officials arrived.
The video gaming industry has been the main target of APT41’s cybercrime efforts, which have included ransomware attempts and virtual currency manipulation. They can move laterally within networks, such as switching between Linux and Windows, to get to game production environments. They take the cryptographic certificates and source code needed to sign malware from these settings. Importantly, it has a history of using this access to insert malicious code into trustworthy files, which it then distributes to victim businesses using supply chain breach techniques.
The most well-known espionage efforts from APT41 have been characterized by these supply chain compromises. By matching against unique system IDs, APT41 restricts the deployment of follow-on malware in these multi-stage operations, greatly obfuscating the intended targets and limiting delivery to only the targeted victims, notwithstanding the effort required.
Among the many malware families and tools that APT41 uses are publicly accessible utilities, malware that is shared with other Chinese espionage organizations, and special tools. Initial compromise frequently happens through spear-phishing emails that include built HTML files as attachments. They can use more advanced strategies and other malware, such as rootkits, credential stealers, keyloggers, and backdoors, once they’re inside. Rootkits and Master Boot Record (MBR) bootkits have also been used sparingly by APT41, targeting high-value targets in order to conceal malware and preserve persistence. This adds stealth because the code runs before the operating system initializes.
The ensemble is regarded as quick and unrelenting. They swiftly locate and breach intermediary systems to obtain access to network segments. In just two weeks in one instance, they were able to breach hundreds of systems in various segments and geographical areas. Additionally, they are incredibly persistent and nimble, reacting swiftly to events or changes. APT41 has proven to be able to gather fresh malware, register new infrastructure, and re-establish itself in compromised systems across many geographical locations within hours of a victim organisation making modifications or people downloading infected attachments.
You can also read BRC, MFG-ISAC work with Google Cloud to Boost Cybersecurity
Possible connections between APT41 activities and two people who go by the names “Zhang Xuguang” and “Wolfzhi” in Chinese-language forums have been found. These individuals indicated that they could be recruited by advertising their abilities and services.
When comparing online gaming targets to APT41’s operating hours, “Zhang Xuguang” specified online hours that suggested possible “moonlighting.” Persona data, apparent programming proficiency, and targeting of online games tailored to the Chinese market, all of which are thought to have served as a precursor to the group’s subsequent espionage activities, support the attribution to these individuals. It appears from operational activity mapping since 2012 that APT41 primarily engages in financially driven operations outside of regular workdays.
As demonstrated by their unique use of supply chain breaches, regular use of compromised digital certificates to sign malware, and infrequent usage of bootkits among Chinese APT groups, the research emphasizes APT41’s inventiveness, expertise, and resourcefulness. Although this change hasn’t changed their ongoing financial interest in the video game industry, APT41, like other Chinese espionage organizations, seems to have moved away from direct intellectual property theft and towards strategic information gathering and access management since 2015. As their targeting and capabilities have expanded over time, there may be more supply chain compromises in a variety of industries.
You can also read Analyzing C2C Communications In Financial Malware
Because of its connections to both state-sponsored operations and underground markets, APT41 may be granted safeguards that allow them to engage in for-profit operations, or authorities may choose to ignore them. Alternatively, they might have just avoided attention. Regardless, these operations highlight a hazy boundary between governmental authority and criminal activity, which is important to threat ecosystems and is typified by APT41.”
Thank you for your Interest in Cloud Computing. Please Reply