Tag Archive for: APT41

Chinese Threat Group APT41 Linked To Android Malware Attacks

/in


APT41 Used WyrmSpy and DragonEgg Surveillance Malware to Target Android Users

Jayant Chakravarti (@JayJay_Tech) •
July 20, 2023    

Chinese Threat Group APT41 Linked To Android Malware Attacks
Image: Shutterstock

Security researchers say a Chinese state-sponsored espionage group is using WyrmSpy and DragonEgg surveillance malware to target Android mobile devices.

See Also: Strengthening Critical Infrastructure Security

Researchers at cybersecurity company Lookout said APT41, also tracked as BARIUM, Earth Baku and Winnti, primarily relies on web application attacks and software vulnerabilities and uses WyrmSpy and DragonEgg to target organizations globally.

The company said APT41 recently switched tactics to develop malware specific to the Android operating system, relying on existing command-and-control infrastructure, IP addresses and domains to communicate with and issue commands to the two malware variants.

APT41 historically exploited specific web applications and software vulnerabilities to carry out surveillance on pre-defined target organizations. According to Mandiant, the group in May 2021 exploited a zero-day vulnerability in the USAHerds application and several vulnerable Internet-facing web applications to successfully compromise at least six U.S. state government networks.

Research by Recorded Future’s Insikt Group also revealed that the cyberespionage group, along with the Tonto Team, targeted four regional despatch centers responsible for operating India’s power grid shortly after India and China engaged in border clashes, which resulted in combat-related casualties for the first time in 45 years.

Android Malware Historically Not On APT41’s Playbook

According to Lookout, APT41 likely used social engineering to distribute WyrmSpy and DragonEgg surveillance malware to Android devices, often by disguising the former as a default Android system application and the latter as third-party Android keyboards and messaging applications such as Telegram.

It is unclear whether the two malware types were distributed via Google Play…

Source…

Attacks by Prolific APT41 Tied to Chinese Government

/in


Chinese state-sponsored APT41 is behind more cyberattack campaigns than previously known, according to new research from the Blackberry Research and Intelligence Unit.

Inspired by details on Cobalt Strike activity that used a bespoke, malleable command-and-control (C2) profile previously documented by FireEye, the researchers chased down malware campaigns that used Cobalt Strike with a bespoke malleable C&C. They discovered previously unnoticed links between attacks to reveal a campaign that plays off people’s fears about the pandemic.

DevOps Experience

“We were able to uncover what we believe is additional APT41 infrastructure by taking these unique aspects and following the trail of digital breadcrumbs,” Blackberry researchers said. “Overlapping indicators of compromise (IoCs) linked the trail of our findings to those of two additional campaigns documented by Positive Technologies and Prevailion,” respectively, as “Higaisa or Winnti? APT41 backdoors, old and new,” and “The Gh0st Remains the Same.”

Once the threat is on a user’s machine, it “blends into the digital woodwork by using its own customized profile to hide its network traffic,” the researchers said.

The potential reach of APT41 is tremendous and effectively tracking the group’s activities requires collaboration among security firms. “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the BlackBerry researchers wrote. “And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide.”

Worth noting, APT 41’s activity “shows the recent, ongoing trend for various criminal and nation-state threat actors who continue to adopt Cobalt Strike as a method of attack,” said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. “With such widespread use, attribution becomes difficult if based solely on a tool, and this research shows how indicators of compromise can be important in an investigation.”

The group “is a prolific actor with an extensive cross-platform…

Source…

APT41 Operatives Indicted as Sophisticated Hacking Activity Continues

/in

Five alleged members of the China-linked advanced threat group and two associates have been indicted by a Federal grand jury, on dozens of charges.
Mobile Security – Threatpost

Meet APT41, the Chinese hackers moonlighting for personal gain – CyberScoop

/in

Meet APT41, the Chinese hackers moonlighting for personal gain  CyberScoop

In a first for China-based group, FireEye said, the APT hackers are using malware typically reserved for spying for personal gain.

“chinese hackers” – read more