Cyber security news for all

More

    APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

    Several organizations within the global shipping, logistics, media, entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have been targeted by a “sustained campaign” from the prolific China-based APT41 hacking group.

    “APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims’ networks since 2023, enabling them to extract sensitive data over an extended period,” stated Google-owned Mandiant in a report published Thursday.

    The threat intelligence firm described APT41 as unique among China-nexus actors due to its use of “non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.”

    Attack methods involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data.

    The web shells serve as a conduit to download the DUSTPAN (aka StealthVector) dropper, responsible for loading Cobalt Strike Beacon for command-and-control (C2) communication, followed by the deployment of the DUSTTRAP dropper post lateral movement.

    DUSTTRAP is configured to decrypt a malicious payload and execute it in memory, establishing contact with an attacker-controlled server or a compromised Google Workspace account to conceal its activities.

    Google stated the identified Workspace accounts have been remediated to prevent unauthorized access. However, it did not reveal how many accounts were affected.

    The intrusions also involve using SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.

    Notably, the malware families Mandiant tracks as DUSTPAN and DUSTTRAP share similarities with those codenamed DodgeBox and MoonWalk, respectively, by Zscaler ThreatLabz.

    “DUSTTRAP is a multi-stage plugin framework with multiple components,” Mandiant researchers said, adding they identified at least 15 plugins capable of executing shell commands, carrying out file system operations, enumerating and terminating processes, capturing keystrokes and screenshots, gathering system information, and modifying the Windows Registry.

    It’s also designed to probe remote hosts, perform DNS lookups, list remote desktop sessions, upload files, and conduct various manipulations to Microsoft Active Directory.

    “The DUSTTRAP malware and its components observed during the intrusion were code-signed with presumably stolen code-signing certificates,” the company stated. “One of the code-signing certificates seemed related to a South Korean company in the gaming industry.”

    GhostEmperor Resurfaces

    The disclosure comes as Israeli cybersecurity company Sygnia revealed details of a cyber attack campaign by a sophisticated China-nexus threat group called GhostEmperor, delivering a variant of the Demodex rootkit.

    The exact method used to breach targets remains unclear, although the group has previously exploited known flaws in internet-facing applications. The initial access facilitates the execution of a Windows batch script, dropping a Cabinet archive (CAB) file to launch a core implant module.

    The implant manages C2 communications and installs the Demodex kernel rootkit using an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement (DSE) mechanism.

    “GhostEmperor employs multi-stage malware to achieve stealth execution and persistence, using several methods to impede analysis,” explained security researcher Dor Nizar.

    Recent Articles

    Related Stories