APT41 Spinoff Expands Chinese Actors Scope Beyond Asia

  /     /     /  
Publicated : 23/11/2024   Category : security


APT41 Spinoff Expands Chinese Actors Scope Beyond Asia


Earth Baku, yet another subgroup of the highly active and increasingly sophisticated collective, is moving into EMEA with new malware and living-off-the-land (LotL) tactics.



A
China-backed threat group
thats best known for targeting organizations in Asia with cyber espionage campaigns is furthering its reach into new geographies, including Europe, the Middle East and Africa (EMEA), with attacks that leverage new malware and living-off-the-land (LotL) techniques to broaden its footprint.
Earth Baku, yet another spinoff group associated with the
highly prolific APT41
, has recently been targeting organizations in Italy, Germany, the United Arab Emirates (UAE), and Qatar, and has been using command-and-control (C2) infrastructure based in Georgia and Romania, according to researchers at Trend Micro.
The regional shift represents a recent change of strategy for the APT41 advanced persistent threat actor, actively tracked since at least 2012 and which typically targets the Asia-Pacific region, according to a
recent blog post
by Trend Micro researchers Ted Lee and Theo Chen. Indeed, Mandiant also recently observed APT41 engaged in
a sustained cyber espionage campaign
against organizations in multiple sectors across the UK and countries in Europe in addition to Taiwan, one of the main countries in which it typically operates.
Other recent attacks in new regions also see the actor diversifying its malware and tactics with the use of public-facing applications such as IIS servers for initial access, and the deployment of the
Godzilla webshell
for persistence and command-and-control (C2), according to Trend Micro. Other loaders such as StealthVector and StealthReacher used in the campaign to deliver APT41s latest modular backdoor, SneakCross, demonstrate that Earth Baku is bolstering its capabilities to evade detection, the researchers noted.
Earth Baku also has been wielding several new post-exploitation tools that demonstrate the group comboing up both custom and publicly available tools — including the
Rakshasa hardware backdoor
, TailScale for persistence, and MEGAcmd for efficient data exfiltration — so the group can move larger volumes of stolen data more efficiently, the researchers observed.
What all of this means is that not only does APT41 have
yet another subgroup
doing its dirty work, but it also has an evolving and increasingly sophisticated threat profile, which can potentially pose significant challenges for cybersecurity defenses, they noted in the post.
APT41 in an umbrella descriptor for a dangerous
collective of Chinese threat groups
— variously referred to as Winnti, Wicked Panda, Barium, and Suckfly — that have stolen trade secrets, intellectual property, healthcare-related data, and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. Four years ago, the US government
indicted five members of APT41
for activities related to attacks on more than 100 companies worldwide. Still the group remains highly active, thanks in part to spinoffs like Earth Baku that keep its activity fresh with new tools and tactics.
Trend Micro tracked Earth Baku through a spate of recent attacks in EMEA that glean insight into new tactics and tools, including StealthVector. The malware is a customized backdoor loader the group is using to launch further binaries in stealth mode; its also an update to one that was previously discovered in 2021, the researchers noted.
Although it has changed little in terms of configuration structure, it now uses AES as its encryption algorithm instead of customized ChaCha20, they wrote. In some variants, we also observed a code virtualizer being used for code obfuscation, making the malware more difficult to analyze. It also inherited other defense evasion techniques to make sure the backdoor components were executed stealthily.
Trend Micro also uncovered another malware, SneakCross, which is a modular backdoor that uses Google services for its C2 communication and
Windows Fibers to evade detection
from network-protection products and endpoint detection and response (EDR) solutions. The malware is likely a successor to APT41s previous modular backdoor, ScrambleCross; modularity allows the attacker to easily update its capabilities, modify its behavior, and customize functionality for different scenarios, the researchers wrote.
Also notable about the latest Earth Baku attacks are post-exploitation activities that deploy a series of further tools to maintain persistence, scale privileges, and allow for discovery and exfiltration of data.
As APT41 continues to fortify its tools and tactics for more sophistication and agility, Trend Micro recommends that organizations shore up their defenses as well, using the principle of
least privilege
to restrict access to sensitive data and closely monitor user permissions. This will make it more challenging for attackers to move laterally within a corporate network, the researchers noted.
Defenders also should regularly update systems and applications, and enforce strict patch-management policies to address security gaps within their systems, as well as develop defensive measures to identify and mitigate threats in the event of a breach.
Further, by adopting whats called a 3-2-1 backup rule and maintaining at least three copies of corporate data in two different formats — including an air-gapped copy stored off-site — organizations can ensure that data remains intact even in the event of a successful attack, the researchers said.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
APT41 Spinoff Expands Chinese Actors Scope Beyond Asia