2 min read

APT 41

Introduction

APT41 is a prolific Chinese state-sponsored cyberespionage group known to target organizations in both the public and private sectors and also conducts financially motivated activity potentially outside of state control for the sake of Government or personal gain.

It has been active since 2012. Also known in the security industry as Barium or Winnti, the group has been involved in strategic intelligence collection from organizations in many sectors, but also in financially motivated attacks that predominantly targeted the online gaming industry. Some experts believe that it's operating as a contractor and has multiple teams with different goals.

Features

APT 41 espionage targeting has generally aligned with China's five year economic development plans.

The group also tracks individuals and conducts surveillance.

The group is additionally skilled at moving laterally within targeted networks including pivoting between Windows & Linux systems, with which it can access production environments.

From there the group steals source code as well as digital certificates which are then used to sign malware.

Operation times for APT 41 espionage operations are relatively near Chinese work hours (in UTC +8, Chin’s Time Zone).

The group has operators and developers with expertise in both Linux and Windows and includes a broad toolset at its disposal, including custom exploits and malware. The group will employ public and open source tools and are known to concentrate on vulnerabilities that are public for months or years but have not been patched in target organizations.

Van Ta, Douglas Bienstock, Geoff Ackerman and John Wolfram, researchers with Mandiant said that, “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a unique vector, or by rapidly operationalizing a fresh vulnerability.”

A preference for utilizing web exploits to focus on public-facing web applications, together with the power to quickly shift targets supported available capabilities indicates that APT41 continues to pose a big threat to public and personal organizations alike round the world.

Threat Groups Probable Targets

This threat group has targeted associations around the world, in verticals similar as Banking/Finance, Construction, Defense Industrial Base, Government, High Technology, Media, Petrochemical, Real Estate, Pharmaceuticals, Retail, Software Companies, Transportation, Legal, Manufacturing, Telecommunications, Non-profit, Oil & Gas, Higher Education, Healthcare, Video Games, Virtual Currencies and Utility.

This threat group targeted countries around the world:

France, India, Italy, Japan, Myanmar, Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, UAE, UK, USA, Australia, Canada, Denmark, Finland, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore and Sweden.

APT 41 Associated Families

elf.keyplug

elf.messagetap

win.acehash

win.biopass

win.blackcoffee

win.coldlock

win.crackshot

win.derusbi

win.easynight

win.gearshift

win.highnoon

win.highnoon_bin

win.jumpall

win.lowkey

win.moonbounce

win.plugx

win.poisonplug

win.shadowpad

win.skip20

win.zxshell

win.chinachopper

win.cobalt_strike

Source:https://malpedia.caad.fkie.fraunhofer.de/actor/apt41

APT 41’s Arsenal

The arsenal of the group includes:

Backdoors: Keyplug , Cobalt strike Beacon, Lowkey, Speculoos Backdoor Credential stealers Keyloggers Rootkits Malware Families: Global Intrusion , THT , DeepBlueMagic Ransomware, Winnti Malware, MoonBounce UEFI malware. Att&ck IDs: T1021 - Remote Services T1059 - Command and Scripting Interpreter T1027 - Obfuscated Files or Information T1056 - Input Capture T1053 - Scheduled Task/Job

The APT41 spying group also abused TeamViewer to emplace its malware into the targets’ compromised environment.

Possible Mitigations for the new APT41 attacks

Associations who use the targeted software or devices should emplace the available mitigations or patches as soon as possible.
If the current physical movement restrictions commanded by authorities as a result of COVID-19 makes patching difficult, companies should at the very least firewall those devices off the internet.
The vulnerable systems should also be isolated from the rest of the network or taken offline if alternatives can be stationed, because they could formerly be compromised.
Companies can use the indicators of compromise to scan their networks.
Remote management should always be performed through secure connections with VPNs or through zero trust access gateways.