FireEye identifies dual nature Chinese cyber threat group

guest · Aug 7, 2019

FireEye identifies dual nature Chinese cyber threat group
Threat group engaged in state-spored espionage in parallel with cyber criminal activities targeting multiple industries worldwide
August 7, 2019
https://www.computerweekly.com/news...tifies-dual-nature-Chinese-cyber-threat-group

A Chinese advanced persistent threat (APT) group dubbed APT41 is targeting organisations in the healthcare, gaming, high tech and media industries in 15 jurisdictions, say researchers at security firm FireEye.

The group, believed to have been operational for more than seven years, is unique among China-based actors because it uses tools that are typically reserved for espionage campaigns for activity that appears to be for personal gain, and therefore criminal in nature.

“APT41 is as agile as its members are skilled and well-resourced,” said Sandra Joyce, senior vice-president of global threat intelligence at FireEye.
The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware, the researchers said.

In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks, the researchers said.
Click to expand...

FireEye: APT41: A Dual Espionage and Cyber Crime Operation

guest · Aug 20, 2019

Chinese Cyber-Spies Target US-Based Research University
August 20, 2019
https://www.securityweek.com/chinese-cyber-spies-target-us-based-research-university

In April 2019, the group targeted a publicly-accessible web server at a U.S.-based research university, exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server, for path traversal and remote code execution.
The attackers used custom JSON POST requests to run commands and force the vulnerable system to download an additional file, which was identified as a variant of the China Chopper web shell.

Next, the attackers downloaded two additional files onto the system, the first of which was used to deploy the HIGHNOON backdoor, which consists of a loader, a dynamic-link library (DLL), and a rootkit. The DLL may deploy additional drivers to conceal network traffic and to fetch memory-resident DLL plugins from the command and control (C&C) server.
Within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to issue commands to the system.

“Ultimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the vulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single credential from the system. However, as Managed Defense detected this activity rapidly via network signatures, this operation was neutralized before the attackers progressed any further,” FireEye notes.
Click to expand...

FireEye: GAME OVER: Detecting and Stopping an APT41 Operation

guest · Oct 31, 2019

Researchers unearth malware that siphoned SMS texts out of telco’s network
Messagetap monitored telco's network for messages sent between high-value targets
October 31, 2019
https://arstechnica.com/information...hat-siphoned-sms-texts-out-of-telcos-network/

Nation-sponsored hackers have a new tool to drain telecom providers of huge amounts of SMS messages at scale, researchers said.

Dubbed "Messagetap" by researchers from the Mandiant division of security firm FireEye, the recently discovered malware infects Linux servers that route SMS messages through a telecom’s network. Once in place, Messagetap monitors the network for messages containing either a preset list of phone or IMSI numbers or a preset list of keywords.
Targeting upstream data sources
The security firm said Messagetap belongs to APT41, one of several advanced persistent threat hacking groups that researchers say is sponsored by the Chinese government.

“The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye,” the researchers wrote. “APT41 and multiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream data entities since 2017.
Click to expand...

While Messagetap isn’t likely to have monitored the vast majority of the infected telecom’s users, its existence shows that network providers aren’t the only entities that can tap phone networks. Its use demonstrates the prudence of not using phone networks to relay sensitive information unencrypted.
Click to expand...

FireEye: MESSAGETAP: Who’s Reading Your Text Messages?

guest · Mar 25, 2020

Surge in attacks from China-linked APT41 targeting unpatched Citrix servers and Cisco routers
March 25, 2020
https://www.computing.co.uk/news/4013048/apt41-china-attacks

APT41 sought to take advantage of security flaws in unpatched Citrix NetScaler servers, Cisco routers and Zoho ManageEngine Desktop Central, targeting 75 organisations in total.
It's unclear whether APT41 scanned the internet for targets and attempted exploitation en masse, or selected specific organisations, but the victims appear to be more targeted in nature, according to FireEye.

The primary attack vector has been the CVE-2019-19781 Citrix Application Delivery Controller (ADC) security flaw that Citrix was accused of being lackadaisical in addressing.
There was a lull in activity from the group between 23rd January and 1st February, consistent with the Chinese New Year holiday period - "a common activity pattern by Chinese APT groups", according to FireEye.

At the beginning of March APT41 also deployed a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 at more than a dozen FireEye customers. Five separate customers were compromised as a result.

"This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," claimed FireEye in its report published today.
Click to expand...

"While APT41 has previously conducted activity with an extensive initial entry... this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41."
Click to expand...

FireEye: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Outlook
It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.

In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.
Previously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.
Click to expand...

guest · Apr 15, 2020

Chinese Hacking Group “APT41” Is Using a New Speculoos Backdoor
The attackers have developed the new malware specifically for BSD systems used in certain organizations
April 14, 2020
https://www.technadu.com/chinese-hacking-group-apt41-using-new-speculoos-backdoor/98763/

According to a report compiled by Unit 42 researchers, the actors keep on using CVE-2019-19781, which was exploited in at least another three instances, retrieving a novel Speculoos backdoor over FTP.

It looks like APT41 have specifically developed this backdoor to target Citrix network appliances and FreeBSD systems.
BSD (Berkeley Software Distribution) is a type of Unix operating system that sees limited use on the server market, so malware that was specifically created for it isn’t a common sight. This is indicative of the sophistication and the narrow targeting of APT41. Speculoos is a backdoor compiled with GCC 4.2.1 and has the form of an ELF executable.

In addition to lateral movement, Speculoos enables the attackers to modify network traffic, which would open the door to additional payload injection, man-in-the-middle attacks, or user redirection to spoofed phishing pages.
Click to expand...

Palo Alto Networks - Unit42: APT41 Using New Speculoos Backdoor to Target Organizations Globally

Vulnerabilities that allow for remote code execution by unauthorized users are nearly always a potentially high impact security issue, especially if they affect systems that are public-facing.
In this case, CVE-2019-19781 affected multiple appliances that were may be public-facing, and had a highly motivated adversary actively exploiting the vulnerability to install a custom backdoor.

In addition, because by default these appliances have access to a large number of organizational systems, lateral movement becomes far less of a challenge.
Lastly, due to the nature of appliances, detection of these attacks may be significantly more challenging, as generally they are black-box type solutions which are not often interacted with or inspected for anomalous activity, unless an issue arises.
Click to expand...

hawki · Sep 16, 2020

"US charges five hackers part of Chinese state-sponsored group APT41

US says APT41 orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video gaming companies, telcos, and more...

ATP41's operations were first revealed in a FireEye report published in August 2019..."

US officials said the hackers stole proprietary source code, code-signing certificates, customer data, and valuable business information..."

https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/

"NBC News: The picture the Justice Dept. is depicting today of yet another hack allegedly perpetrated by APT 41, a Chinese group, is that they are hacking into software companies and building their own backdoor code. This allows them to gain entry to wide-swaths of industries."

https://twitter.com/Tom_Winter/status/1306256939958099968

guest · Sep 19, 2020

APT41: Indictments Put Chinese Espionage Group in the Spotlight
September 17, 2020
https://symantec-enterprise-blogs.s...ntelligence/apt41-indictments-china-espionage

The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large.

The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly.
Grayfly
Grayfly has been particularly active in recent years, mounting high volume espionage attacks against organizations spread across Asia, Europe, and North America.
In recent attacks, Symantec has seen Grayfly deploy Backdoor.Motnug against targeted organizations in conjunction with publicly available Cobalt Strike malware.
Click to expand...

Blackfly
Blackfly has been active since at least 2010 and is known for attacks involving the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families.

Recent Blackfly activity observed by Symantec saw the group deploy a slightly modified version of the Winnti malware against a telecoms organization in Taiwan. A feature of the attack was their use of the names of security vendors in naming files in an attempt to avoid raising suspicions.
The link between Grayfly and Blackfly
While Grayfly and Blackfly appear to be distinct operations, the indictments allege that there is a link between the two groups.
Click to expand...

Unwelcome attention
Grayfly and Blackfly have been prolific attackers in recent years and, while it remains to be seen what impact the charges will have on their operations, the publicity surrounding the indictments will certainly be unwelcome among attackers who wish to maintain a low profile.
Click to expand...

guest · Jan 15, 2021

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks
January 15, 2021
https://thehackernews.com/2021/01/researchers-disclose-undocumented.html

Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor.

Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate.
Click to expand...

The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called Crosswalk ("3t54dE3r.tmp").

While this modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims in 2020 — the researchers said the use of Crosswalk suggests the involvement of Winnti.
Click to expand...

Positive Technologies: Higaisa or Winnti? APT41 backdoors, old and new

The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as APT41, per FireEye) of Chinese origin
Click to expand...

guest · Aug 24, 2021

APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
August 24, 2021
https://www.trendmicro.com/en_us/re...th-baku-with-new-cyberespionage-campaign.html

We have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks.

Earth Baku deploys its ongoing campaign, which can be traced to as far back as July 2020, through multiple attack vectors that are designed based on different exploits or the infrastructure of its targeted victim's environment:

• SQL injection to upload a malicious file
• Installment through InstallUtil.exe in a scheduled task
• Possibly a malicious link (LNK) file sent as an email attachment
• Exploitation of the ProxyLogon vulnerability CVE-2021-26855 to upload a China Chopper web shell
Click to expand...

This campaign uses previously unidentified shellcode loaders, which we have named StealthVector and StealthMutant, and a backdoor, which we have dubbed ScrambleCross.
Earth Baku has developed these new malware tools to facilitate targeted attacks on public and private entities alike in specific industries that are located in the Indo-Pacific region. Thus far, the affected countries include India, Indonesia, Malaysia, the Philippines, Taiwan, and Vietnam.
Connections to other campaigns
Earth Baku’s recent activities are related to another campaign that has been active since at least November 2018, as reported by FireEye and Positive Technologies.

While the older campaign uses a different shellcode loader, which we have named LavagokLdr, we have observed similar code and procedures between LavagokLdr and StealthVector. In the same vein, we have observed that LavagokLdr’s payload, Crosswalk, and one of StealthVector’s payloads, ScrambleCross, perform similar techniques for decryption and signature checking.
Click to expand...

Interestingly, the new malware tools involved in Earth Baku’s new campaign indicates that the APT group has likely recruited members who specialize in low-level programming, software development, and red-team techniques.

For more details about Earth Baku’s new campaign, read our research paper "Earth Baku: An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor."
Click to expand...

guest · Oct 5, 2021

Suspected Chinese hackers masqueraded as Indian government to send COVID-19 phishing emails
October 5, 2021
https://www.cyberscoop.com/apt41-india-blackberry-china/

An increasingly active Chinese government-linked hacking group impersonated Indian government agencies with phishing lures related to COVID-19 statistics and tax legislation, researchers say.

It was the continuation of a campaign that dates to the earliest days of the pandemic, BlackBerry said in a blog post Tuesday. The company tied together several threads of operations by APT41, a joint cyber-espionage and cybercrime organization that investigators have repeatedly tied to Beijing and that BlackBerry said was responsible for the India-themed phishing lures.
Click to expand...

BlackBerry on Monday didn’t answer questions about the timeframe in which APT41 sent the India-themed lures, what its possible motives were and what industries the emails targeted.

“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” according to BlackBerry.
“These findings show that the APT41 group is still regularly conducting new campaigns and that they will likely continue to do so in future,” BlackBerry wrote.

Another phishing lure touted information about new income tax rules in India, the company said.
BlackBerry said it had tied together multiple “seemingly disparate malware campaigns” and attribute them to APT41.
Click to expand...

BlackBerry: Drawing a Dragon: Connecting the Dots to Find APT41

The BlackBerry Research & Intelligence Team recently connected seemingly disparate malware campaigns, which began with an unusual Cobalt Strike configuration that was first included in a blog post published the same month as COVID-19 lockdowns began in Europe and the U.S. What we found led us through a malicious infrastructure that had been partially documented in articles by several other research organizations.

The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.
Click to expand...

guest · Nov 18, 2021

China's APT41 Manages Library of Breached Certificates
November 20, 2021
https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/

A freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors, according to Venafi.

The security vendor’s latest research report details the work of APT41, an unusual group in that it has previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.
Venafi claimed that using the certificates and keys that authenticate pieces of code are a key part of its tactics.
Click to expand...

APT41 is reportedly managing a library of these certs and keys – some purchased from underground marketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself.
This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates, according to Venafi.

“Code-signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the past decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect,” explained Venafi threat intelligence specialist Yana Blachman.
Click to expand...

Venafi: APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks
(PDF): https://www.venafi.com/sites/default/files/2021-11/Venafi_WhitePaper_CodeSigningAPT41_2021_f_0.pdf

Learn about the infamous APT41 group and why they are abusing code signing keys and certificates as powerful weapons to steal and exploit data. Find out which industries are they targeting, the anatomy of their attack and who’s really behind them.
Click to expand...

guest · Aug 18, 2022

APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques
August 18, 2022

Group-IB has released new research on the state-sponsored hacker group APT41. The Group-IB Threat Intelligence team estimates that in 2021 the threat actors gained access to at least 13 organizations worldwide. While analyzing the group’s malicious campaigns, experts uncovered adversary techniques and artifacts left by the attackers that point to their origin.
APT41 group activity
The state-sponsored attacker group APT41 (aka ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose goals are cyber espionage and financial gain, has been active since at least 2007.

Group-IB Threat Intelligence analysts identified four APT41 malware campaigns carried out in 2021 that were geographically spread across the United States, Taiwan, India, Vietnam, and China. The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. According to Group-IB, there were 13 confirmed victims of APT41 in 2021, but the actual number could be much higher.
Click to expand...

APT41 members usually use phishing, exploit various vulnerabilities (including Proxylogon), and conduct watering hole or supply-chain attacks to initially compromise their victims. However, in the recent campaigns examined by Group-IB, the attackers performed SQL injections on websites using the publicly available tool SQLmap as the initial attack vector.

In some organizations, the group gained access to the command shell of the targeted server, while in others they accessed databases with information about existing accounts, lists of employees, and plaintext and hashed passwords.
Cobalt Strike: old but gold
Group-IB established that the group used a unique method of dividing a payload (a custom Cobalt Strike Beacon) in order to download malicious code to target devices and execute it.
Click to expand...

Group-IB: APT41 World Tour 2021 on a tight schedule

4 malicious campaigns, 13 confirmed victims, and a new wave of Cobalt Strike infections
Throughout 2021, we closely watched APT41’s activity using our system called Group-IB Threat Intelligence, which is continuously enriched with indicators of compromise (IOCs) and new rules for hunting hacker groups and threat actors. Our efforts have resulted in about 80 proactive notifications to private and government organizations worldwide regarding APT41 attacks (both in progress and completed) against their infrastructures so that the organizations could take the necessary steps to protect themselves or search for traces of compromise in their networks.

The data about the tactics, techniques and procedures (TTPs) used by the attackers that we collected helped us attribute the group’s other attacks. Using this data, we identified the threat actors’ “work” schedule, which makes it possible to describe their origin in more detail. In this blog post, we share our findings and describe the main methods, tactics and tools used by one of the most dangerous threat groups out there, APT41, in 2021.
Click to expand...

guest · Aug 18, 2022

mood said: ↑

APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques
August 18, 2022

Group-IB: APT41 World Tour 2021 on a tight schedule
Click to expand...

Winnti hackers split Cobalt Strike into 154 pieces to evade detection
August 18, 2022

The Chinese Winnti hacking group, also known as 'APT41' or 'Wicked Spider,' targeted at least 80 organizations last year and successfully breached the networks of at least thirteen.
Hiding their Cobalt Strike beacons
One of Wintti's unique deployment methods for the Cobalt Strike beacons involved obfuscating the payload on the host to evade detection by software.

According to the Group-IB report, the hackers encode the payload in base64 and break it into a large number of smaller pieces consisting of 775 characters, which are then echoed to a text file named dns.txt as shown below.
Click to expand...

In some cases, it took 154 repetitions of this action to write the payload onto a file, but in others, Winnti increased the chunk size to 1,024 characters to reduce the iterations.
To rebuild the Cobalt Strike executable and launch it, the threat actors would use Certutil LOLBin as outlined below: [...]

Another unique approach concerning Cobalt Strike deployment by Winnti is using listeners with over 106 custom SSL certificates, mimicking Microsoft, Facebook, and Cloudflare.
Click to expand...

Working hours
Having tracked the threat group's activity for so long, Group-IB is in a position to estimate the approximate location of the hackers based on their working hours, which tend to follow a defined schedule.
The group starts working at 09:00 AM in the morning and wraps up at around 07:00 PM in the afternoon, in the UTC+8 time zone.

Notably, Winnti logged very few hours during weekends, although some activity was observed on Sundays, presumably to perform actions that are unlikely to be noticed by understaffed IT teams.
Click to expand...

Lurking in the shadows
Even when researchers persistently track Winnti operations, the sophisticated Chinese group remains well-hidden and continues its cyberespionage operations unhindered.
Click to expand...

guest · Nov 9, 2022

New hacking group uses custom 'Symatic' Cobalt Strike loaders
By Bill Toulas @billtoulas - November 9, 2022

A previously unknown Chinese APT (advanced persistent threat) hacking group dubbed 'Earth Longzhi' targets organizations in East Asia, Southeast Asia, and Ukraine.
The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims' systems.

According to a new Trend Micro report, Earth Longzhi has similar TTP (techniques, tactics, and procedures) as 'Earth Baku,' both considered subgroups of the state-backed hacking group tracked as APT41.
Click to expand...

Earth Longzhi's older campaign
Trend Micro's report illustrates two campaigns conducted by Earth Longzhi, with the first occurring between May 2020 and February 2021.
In this campaign, the hackers used the custom Cobalt Strike loader 'Symatic,' which features a sophisticated anti-detection system including the following functions: [...]
2022 campaign
The second campaign observed by Trend Micro lasted from August 2021 until June 2022, targeting insurance and urban development firms in the Philippines and aviation firms in Thailand and Taiwan.
Click to expand...

After Cobalt Strike runs on the target, the hackers use a custom version of Mimikatz to steal credentials and use the 'PrintNighmare' and 'PrintSpoofer' exploits for privilege escalation.

To disable security products on the host, Earth Longzhi uses a tool named 'ProcBurner,' which abuses a vulnerable driver (RTCore64.sys) to modify the required kernel objects.

"ProcBurner is designed to terminate specific running processes," explains Trend Micro in the report.
"Simply put, it tries to change the protection of the target process by forcibly patching the access permission in the kernel space using the vulnerable RTCore64.sys."
Click to expand...

Trend Micro: Hack the Real Box: APT41’s New Subgroup Earth Longzhi

We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
Click to expand...

Log in or Sign up

FireEye identifies dual nature Chinese cyber threat group

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

FireEye identifies dual nature Chinese cyber threat group

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches