APT41 Cyberespionage Campaign Hits Indo-PacificTrend Micro: Firms Targeted in India, Indonesia, Malaysia, the Philippines, Taiwan, Vietnam
Researchers at cybersecurity company Trend Micro have uncovered a new cyberespionage campaign in the Indo-Pacific region by Chinese advanced persistent threat group APT41, also known as Earth Baku.
Among the targets are companies in the airlines, computer hardware, automotive, infrastructure, publishing, media and IT industries in India, Indonesia, Malaysia, the Philippines, Taiwan and Vietnam, Trend Micro says.
The APT group is using different attack vectors depending on the infrastructure of its targeted victim's environment, the researchers say. Those vectors include SQL injection to upload a malicious file, installing malware through InstallUtil.exe in a scheduled task, sending a malicious link file in an email attachment and exploiting the ProxyLogon vulnerability, CVE-2021-26855, to upload a China Chopper web shell, the researchers say.
The campaign uses previously unidentified shellcode loaders, dubbed StealthVector and StealthMutant, as well as a backdoor named ScrambleCross, Trend Micro reports.
First observed in October 2020, the StealthVector shellcode loader, written in C/C++, is designed with configurable features that allow malicious actors to tailor it to their needs, the researchers say.
It also offers a feature that disables Event Tracing for Windows, a kernel-level tracing facility, allowing the malware to run in stealth mode, they say. The loader can stealthily run its payload in various ways, such as using the CreateThread function, bypassing Microsoft’s Control Flow Guard or using module stomping or phantom dynamic link library hollowing.
The StealthMutant loader, which supports both 32-bit and 64-bit operating systems, can also disable Event Tracing for Windows. This loader, written in C#, has been used by malicious actors since July 2020, the researchers say.
"Many of the StealthMutant samples we have analyzed use AES-256-ECB for decryption; alternatively, an earlier variant of the loader uses XOR. After its payload is decrypted, StealthMutant performs process hollowing to execute its payload in a remote process," according to the Trend Micro researchers.
Both StealthMutant and StealthVector contain a payload of either the Cobalt Strike beacon or ScrambleCross, a newly discovered backdoor, the researchers report.
ScrambleCross receives instructions from its command-and-control server that allow it to receive and manipulate plug-ins.
"However, we have yet to retrieve and study one of these plug-ins. It has many of the same capabilities as another backdoor, Crosswalk, which has also been used by Earth Baku," Trend Micro says.
"Both calculate the hash of the code section as an anti-bugging technique, both are designed as fully position-independent code, and both support various kinds of network communication protocols."
Ties to Earlier Campaign
This new campaign is tied to one of Earth Baku’s earlier cyberespionage campaigns, which the group is perpetrating under the alias APT41, the researchers say.
"This older campaign has been ongoing since November 2018 and uses a different shellcode loader, which we have named LavagokLdr, but these two campaigns are alike in many ways," they say.
The analysis of StealthMutant, StealthVector, and ScrambleCross demonstrates that Earth Baku/APT41 has improved its malware tools since its last campaign, the researchers say.
The APT group, the researchers note, is known for its use of self-developed tools.
"It appears to be filling its ranks with malicious actors who are pooling their diverse skills," according to the Trend Micro report. "The new malware tools involved in Earth Baku’s new campaign indicates that the APT group has likely recruited members who specialize in low-level programming, software development and red-team techniques."
The threat group, researchers say, has designed the sophisticated new tools to be easily modified and to avoid detection more efficiently when infiltrating a targeted network.
Benjamin Read, director of analysis at Mandiant Threat Intelligence, FireEye, notes that although the group has added new features and tactics, the fundamentals remain unchanged. "The intrusion vectors highlighted by Trend Micro are similar to what one would have seen five years ago, but they continue to be used because they work,” he says.
Mitigation and Prevention
To avoid falling victim to this group, Trend Micro advises companies to follow the principle of "least privilege" by limiting access to sensitive data and monitoring user permissions; enforce strict patch management policies and practice virtual patching to secure any legacy systems for which patches are not yet available; and enforce the 3-2-1 rule of storing at least three copies of corporate data in two different formats, with one air-gapped copy located off-site.
Brian Honan, a Dublin-based cybersecurity expert, says organizations must keep their focus on the techniques this APT group - and many others - use, including the injection of an SQL script into the system’s Microsoft SQL Server to upload a malicious file and the exploitation of the Microsoft Exchange Server ProxyLogon.