Wednesday, December 18, 2024

Google Researchers Detailed Tools Used by APT41 Hacker Group

Must read

Advanced persistent threat group APT41 launched an extended attack that successfully compromised a number of companies in the media and entertainment, IT, transportation and logistics, and automotive industries. 

The campaign’s target organizations came from a wide range of nations, including Taiwan, Thailand, Turkey, Italy, Spain, and the United Kingdom.

Since 2023, APT41 has been able to gain and sustain long-term, unauthorized access to several victims’ networks, which has allowed them to collect sensitive data over an extended period of time. 

Attack Path Of APT41 Attack

APT41 is a well-known cyber threat group that engages in financially motivated conduct that may be uncontrollable by the state as well as Chinese state-sponsored espionage.

In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed ANTSWORD and BLUEBEAM web shells were used by APT41 to execute DUSTPAN and the BEACON backdoor for command-and-control communication.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

During the intrusion, APT41 utilized DUSTTRAP, resulting in interactive keyboard usage. DUSTTRAP would run a malicious payload in memory after decrypting it, leaving as little evidence as possible for forensic analysis

APT41 used PINEGROVE to systematically and effectively exfiltrate vast amounts of sensitive data from the compromised networks, sending the data to OneDrive to facilitate exfiltration and further analysis.

SQLULDR2 was utilized to export data from Oracle databases.

Attack diagram of APT41 attack

DUSTPAN And BEACON

A C/C++ in-memory dropper called DUSTPAN decrypts and runs an embedded payload.

“This time, APT41 disguised DUSTPAN as a Windows binary by executing the malicious file as w3wp.exe or conn.exe. Additionally, the DUSTPAN samples were made persistent via Windows services ”, Microsoft.

The BEACON payloads that were loaded into memory by the DUSTPAN samples were encrypted with chacha20.

After being executed, the BEACON payloads used Cloudflare Workers as their command-and-control (C2) channels or self-managed infrastructure housed behind Cloudflare for communication.

DUSTTRAP

DUSTTRAP is a multi-component, multi-stage plugin framework.

To further blend its malicious actions with legitimate traffic, the decrypted payload in this instance was intended to open communication channels with either APT41-controlled infrastructure for command and control or, in some cases, with a compromised Google Workspace account.

Full execution flow of DUSTTRAP

The DUSTTRAP malware and accompanying components discovered during the attack were code signed with likely stolen code signing certificates.

It appeared that one of the code-signing certificates belonged to a South Korean business engaged in the gaming industry. 

SQLULDR2 And PINEGROVE

The contents of a remote Oracle database can be exported to a local text file using the C/C++ command-line tool SQLULDR2.

Mandiant noticed that APT41 was using PINEGROVE to exfiltrate data during the intrusion. PINEGROVE is a Go-based command-line uploader that can be used to gather and submit files to OneDrive via the OneDrive API. 

It is believed that the group’s persistent pursuit of personal wealth by attacking the video game sector influenced the creation of strategies that were later employed in their espionage activities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Latest article