Cyber security news for all

More

    Chinese APT41 Enhances Malware Arsenal with DodgeBox and MoonWalk

    APT41, a sophisticated threat group associated with China, is suspected of upgrading its malware toolkit with an advanced version of StealthVector, now identified as DodgeBox, and introducing a newly discovered backdoor named MoonWalk.

    Security researchers Yin Hong Chang and Sudeep Singh disclosed that DodgeBox, identified in April 2024 by Zscaler ThreatLabz, functions as a loader to deploy the MoonWalk backdoor. MoonWalk incorporates evasion techniques similar to those found in DodgeBox and utilizes Google Drive for command-and-control (C2) communications.

    APT41, also known as Axiom or by other aliases like Blackfly and Barium, has been active since at least 2007 and is recognized for state-sponsored cyber operations. In September 2020, the U.S. Department of Justice indicted multiple individuals associated with APT41 for orchestrating extensive intrusion campaigns affecting numerous global companies.

    These intrusions enabled the theft of sensitive data such as source code, software certificates, and customer information, while also supporting additional criminal activities like ransomware and crypto-jacking schemes.

    Recent activities attributed to APT41 include breaches of U.S. state government networks and attacks on Taiwanese media using tools like Google Command and Control (GC2).

    StealthVector, initially identified by Trend Micro in August 2021, serves as a loader for delivering Cobalt Strike Beacon and ScrambleCross implants. DodgeBox, an enhanced iteration of StealthVector, employs sophisticated evasion tactics including DLL side-loading and call stack spoofing to avoid detection.

    APT41 utilizes legitimate executables like taskhost.exe, signed by Sandboxie, to perform DLL side-loading of malicious DLLs such as sbiedll.dll, which hosts the DodgeBox loader. This malicious DLL decrypts and executes the MoonWalk backdoor as a second-stage payload.

    The attribution of DodgeBox to APT41 is supported by its similarity to StealthVector and the group’s historical use of DLL side-loading techniques observed in other malware campaigns like PlugX.

    “DodgeBox represents a newly identified loader that employs advanced evasion techniques to evade detection by security systems,” the researchers concluded.

    Recent Articles

    Related Stories