Attacks by Prolific APT41 Tied to Chinese Government

Chinese state-sponsored APT41 is behind more cyberattack campaigns than previously known, according to new research from the Blackberry Research and Intelligence Unit.

Inspired by details on Cobalt Strike activity that used a bespoke, malleable command-and-control (C2) profile previously documented by FireEye, the researchers chased down malware campaigns that used Cobalt Strike with a bespoke malleable C&C. They discovered previously unnoticed links between attacks to reveal a campaign that plays off people’s fears about the pandemic.

DevOps Experience

“We were able to uncover what we believe is additional APT41 infrastructure by taking these unique aspects and following the trail of digital breadcrumbs,” Blackberry researchers said. “Overlapping indicators of compromise (IoCs) linked the trail of our findings to those of two additional campaigns documented by Positive Technologies and Prevailion,” respectively, as “Higaisa or Winnti? APT41 backdoors, old and new,” and “The Gh0st Remains the Same.”

Once the threat is on a user’s machine, it “blends into the digital woodwork by using its own customized profile to hide its network traffic,” the researchers said.

The potential reach of APT41 is tremendous and effectively tracking the group’s activities requires collaboration among security firms. “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the BlackBerry researchers wrote. “And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide.”

Worth noting, APT 41’s activity “shows the recent, ongoing trend for various criminal and nation-state threat actors who continue to adopt Cobalt Strike as a method of attack,” said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. “With such widespread use, attribution becomes difficult if based solely on a tool, and this research shows how indicators of compromise can be important in an investigation.”

The group “is a prolific actor with an extensive cross-platform…