Group-IB has published a new study on the activity of the Chinese hack group APT41. According to experts, in 2021, hackers were able to gain access to at least 13 organizations around the world. Interestingly, the “working days” of the group are from Monday to Friday. The average working time starts at 10 am and ends closer to 7 pm UTC+8.
The pro-state group APT41 (also known as ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose attack targets are both cyber espionage and financial gain, has been active since at least 2007.
Group-IB Threat Intelligence analysts identified four APT41 malware campaigns conducted in 2021 that covered targets in the US, India, Vietnam, China, and Taiwan. The target industries were the public sector, manufacturing, healthcare, logistics, hospitality, educational organizations, as well as the media and the airline. There are 13 confirmed victims of APT41 attacks in 2021, but their real number could be much higher.
“According to the study, 2021 has been quite an intense year for APT41 attackers. As a result of the analysis of the tools and indicators of compromise we discovered, we were able to identify malicious activity and warn commercial and government organizations about upcoming or already committed APT41 attacks so that they can take the necessary steps to protect or search for traces of compromise of their networks. In total, in 2021, we proactively sent more than 80 such notifications related to APT41,” says Threat Intelligence analyst Nikita Rostovtsev.
Traditionally, APT41 hackers are credited with phishing as the initial penetration vector, exploitation is different x vulnerabilities (including Proxylogon, watering hole, and supply chain attacks). However, in the campaigns observed by Group-IB, attackers infiltrated target systems using SQL injections using the public SQLmap tool.
In some organizations, the team gained shell access to the target server, in others they accessed databases of account information, employee lists, and clear and hashed passwords. As a result of such SQL injections, the attackers managed to penetrate the victims’ networks in half of the cases – 43 out of 86 sites were vulnerable.
To download and execute malicious code on infected devices, the attackers used a unique method of dividing the payload, which was not previously seen by researchers, using customized Cobalt Strike beacons.
After compilation, the beacon was encoded in Base64, and then split into exactly 775 characters and added to a text file with a specific command. To write the entire payload to a file, in one of the cases observed by Group-IB, the attackers needed 154 iterations for this action. The same non-standard method of dividing the payload was also found on the network of another organization, where the attackers decided to divide the code into blocks of 1024 characters. It took them 128 iterations to write the entire payload without drawing attention to themselves.
The researchers emphasize that some servers were used by APT41 solely to host the Cobalt Strike framework on them, while others were used only for active network scanning through the Acunetix utility. However, servers were found running both of these tasks.
“Despite the protection of the CloudFlare cloud service, which hides the real addresses of the servers, the Threat Intelligence system revealed the backends of the APT41 servers, which allows us to monitor the malicious infrastructure of the attackers and quickly block their servers,” Group-IB added.
An important discovery of the work of Cobalt Strike was the use using licensers with custom SSL certificates. They are needed to accept the connection from the payload, to connect the bots with the command center. In this case, the hackers used unique SSL certificates that mimic Microsoft, Facebook, and CloudFlare. According to analysts, servers with such certificates began to appear from the beginning of 2020, and their number at the end of 2021 was 106. This means that researchers have noticed more than 100 Cobalt Strike servers that are used only by this group of attackers. Most of them are no longer active.
Experts made another interesting discovery by studying the “work schedule” of hackers. Thus, all attackers’ timestamps were aligned to UTC+8. This made it possible to establish that the main working time of the group starts at 9 am and ends closer to 7 pm. Experts note with irony that APT41 members do not overwork, unlike, for example, financially motivated groups such as Conti, who sometimes “work” tirelessly and sometimes for 14 hours a day.
There are a number of countries in the time zone of the attackers, including China, Malaysia, Singapore, part of Russia and Australia.
As attribution elements, the report provides a list of predominantly Chinese IP addresses for accessing Cobalt Strike servers. The use of Chinese characters on the workstations from which the attacks were carried out is also noted. It is also interesting that the researchers noticed the use of a specific Pinyin format for the name of directories (Pinyin is a record of the sounds of the Chinese language in Latin).