The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyber espionage group APT41, noting that the group profited from Cobalt Strike activity by using a bespoke Malleable C2 profile that uses COVID-19 phishing lures to target victims in India.
The team was able to link to phishing lures via PDF and ZIP files containing information relating to tax laws and COVID-19 statistics, masquerading as Indian government entities.
The US government filed charges in 2020 against five members of APT41 for hacking more than 100 companies around the world. US officials said APT41 members successfully compromised the computer networks of foreign governments in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong.
The APT41 group is one of the most infamous and active state sponsored hacking groups. ATP41’s operations were first detailed in a FireEye report released in August 2019, with the report linking the group to some of the biggest supply chain attacks in recent years and older hacks ranging from 2012.
The group uses publicly accessible profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive, and others. BlackBerry has found links between this campaign and others released by FireEye in 2020, as well as Prevailion, Subex, and PTSecurity.
“The image we uncovered was of a state-sponsored campaign that plays on people’s hopes of a quick end to the pandemic as a lure to trap its victims. a user, the threat merges into the digital woods by using their own personalized profile to mask their network traffic, ”the team said in its report.
“APT41 is a prolific Chinese state-sponsored cyber threat group that has carried out malware campaigns related to espionage and financially motivated criminal activity dating back to 2012. This group of threats has targeted organizations around the world , in many verticals such as travel, telecommunications, healthcare, news and education. APT41 often used phishing emails with malicious attachments as the initial infection vector. Once they gain access to a target organization, they typically deploy more advanced malware to establish a persistent presence. This group uses a variety of different malware families, including information thieves, keyloggers and backdoors. “
Researchers said they discovered what they believe to be additional APT41 infrastructure and phishing lures targeting victims in India that contain information relating to the new tax laws and COVID-19 statistics. These messages were believed to come from Indian government entities, according to the report.
The objective of the attack was to load and execute a Cobalt Strike beacon on a victim’s network using the decoys and phishing attachments.
FireEye and other cybersecurity companies spent years documenting APT41’s tactics, and the BlackBerry team said they found a malleable C2 profile on GitHub that looked like the one FireEye mentioned and written by a Chinese security researcher with the pseudonym “1135”.
“These profiles had several similarities: the two jQuery Malleable C2 profiles used and parts of the HTTP GET profile block are almost identical. HTTP header fields such as ‘accept’, ‘user-agent’, ‘host’ and ‘referer’, as well as the ‘set-uri’ field, all matched exactly the profile data listed in the FireEye blog, ”the report explains.
“By extracting and correlating the HTTP headers used in GET and POST requests defined in Beacon configurations, we can generate revealing connections between seemingly disparate Cobalt Strike infrastructures. Although we have identified a relatively small number of Beacons using the BootCSS domain as part of their malleable C2 configuration, there were also a few clusters with unique configuration metadata that allowed us to identify additional tags related to APT41. The tags served by these new nodes use a different malleable profile. of those in the original cluster trying to tag the traffic look like legitimate Microsoft traffic. “
The domains the team found also have a similar naming convention, and while going through the campaign, BlackBerry discovered a set of three PDFs related to .microsoftdocs.workers.[.]before targeting victims in India. The decoys promised information relating to tax rules and COVID-19 notices.
The first tax-related PDF contains a built-in PowerShell script that is executed while the PDF is viewed to the user.
“The PowerShell script downloads and executes a payload through”% temp% conhost.exe “, which loads a payload file called” event.dat “. This .DAT file is a Cobalt Strike Beacon. The second and third decoys each have runtime streams and similar components; a PDF decoy, conhost.exe, and an event. * payload. In this case, those event files had a .LOG extension rather than .DAT, ”revealed the report.
“The biggest difference between the second and the third decoy is that the first uses a self-extracting archive named” India records highest level ever recorded covid_19 recoveries.pdf.exe “, and the second uses a ZIP file named “India records highest level ever on COVID-19 recovery.zip day.” Decoys two and three also contain the same information in their respective PDF files. Both relate to record number of COVID-19 recoveries in India , information claiming to be from the Indian government’s Department of Health and Family Welfare. “
Researchers noted that a previous September 2020 report from Subex revealed similar phishing attempts targeting Indian nationals as well. This report attributes the attack to the Evilnum APT group, but BlackBerry researchers disagreed, citing a number of reasons they believe the culprit is APT41.
The payloads are actually Cobalt Strike Beacons, a feature of APT41 according to BlackBerry, and there are a number of configuration settings that tie the attack to APT41.
“With the resources of a nation-state threat group, it is possible to create a truly astounding level of diversity in their infrastructure. And although no security group has the same level of funding, by pooling our collective intelligence, we can still uncover the leads that the cybercriminals involved have worked so hard to hide, ”the researchers added.