Chinese cyber espionage group APT41 has been linked to seemingly disparate malware campaigns, according to fresh research that has mapped together additional parts of the group’s network infrastructure to hit upon a state-sponsored campaign that takes advantage of COVID-themed phishing lures to target victims in India.
“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”
APT41 (aka Barium or Winnti) is a moniker assigned to a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in conjunction with financially motivated operations for personal gain as far back as 2012. Calling the group “Double Dragon” for its twin objectives, Mandiant (formerly FireEye) pointed out the collective’s penchant for striking healthcare, high-tech, and telecommunications sectors for establishing long-term access and facilitating the theft of intellectual property.
In addition, the group is known for staging cybercrime intrusions that are aimed at stealing source code and digital certificates, virtual currency manipulation, and deploying ransomware, as well as executing software supply chain compromises by injecting malicious code into legitimate files prior to distribution of software updates.
The latest research by BlackBerry builds on previous findings by Mandiant in March 2020, which detailed a “global intrusion campaign” unleashed by APT41 by exploiting a number of publicly known vulnerabilities affecting Cisco and Citrix devices to drop and execute next-stage payloads that were subsequently used to download a Cobalt Strike Beacon loader on compromised systems. The loader was notable for its use of a malleable command-and-control (C2) profile that allowed the Beacon to blend its network communications with a remote server into legitimate traffic originating from the victim network.
BlackBerry, which found a similar C2 profile uploaded to GitHub on March 29 by a Chinese security researcher with the pseudonym “1135,” used the metadata configuration information to identify a fresh cluster of domains related to APT41 that attempt to masquerade Beacon traffic look like legitimate traffic from Microsoft sites, with IP address and domain name overlaps found in campaigns linked to the Higaisa APT group and that of Winnti disclosed over the past year.
A follow-on investigation into the URLs revealed as many as three malicious PDF files that reached out to one of the newly discovered domains that had also previously hosted a Cobalt Strike Team Server. The documents, likely used along phishing emails as an initial infection vector, claimed to be COVID-19 advisories issued by the government of India or contain information regarding the latest income tax legislation targeting non-resident Indians.
The spear-phishing attachments appear in the form of .LNK files or .ZIP archives, which, when opened, result in the PDF document being displayed to the victim, while, in the background, the infection chain leads to the execution of a Cobalt Strike Beacon. Although a set of intrusions using similar phishing lures and uncovered in September 2020 were pinned on the Evilnum group, BlackBerry said the compromise indicators point to an APT41-affiliated campaign.
“With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the researchers said, adding by piecing together the malicious activities of the threat actor via public sharing of information, it’s possible to “uncover the tracks that the cybercriminals involved worked so hard to hide.”