An analysis of China-backed advanced persistent threat (APT) actor APT41’s activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems.
Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance.
So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China, India, Taiwan, and Vietnam.
The security vendor concluded that the actual number of APT41’s victims could be much higher,
based — among other things — on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.
Puzzling Payload Deployment Strategy for Cobalt Strike
One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.
In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.
Nikita Rostovcev, an analyst within Group-IB’s APT research team, says it’s unclear why APT41 might have adopted the strategy but surmises it may be an attempt at remaining under the radar.
“We do not fully know why the attackers chose this method because SQLmap has a large data transfer limit, which means it was done intentionally, most likely in order to prevent its detection,” he says.
However, detecting the ruse is not difficult, especially considering that the payload was encoded in Base64 at the end, he adds: “This is a unique finding. We have not seen any other attackers use this method in their attacks.”
SQL Injection & Dual-Use Tools
Group-IB’s analysis shows the threat actors had shifted tactics for initial access, performing SQL injection attacks using the SQLmap tool to gain a foothold to some target organizations. SQLmap automatically discovers and exploits SQL vulnerabilities. The SQL injection attacks allow APT41 actors to gain command shell access on some targeted servers.
The tactic marks a deviation from APT41’s usual pattern of using phishing, watering-hole attacks, and stolen credentials as an initial access vectors.
APT41 mainly went after databases with information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form. In total, APT41 actors attacked 86 vulnerable websites and applications belonging to the targeted organizations, and they were able to compromise half of them via SQL injection.
“Typically, attackers from APT41 are interested in information about existing users and their accounts and any data that can be used for further lateral movement,” Rostovcev says.
Once the threat actor has gained access to a target network it has been known to deploy numerous other custom tools to carry out its mission. In its report earlier this year, Cybereason identified some of these tools as DeployLog, for deploying the threat group’s main kernel-level rootkit, an initial payload called Spyder Loader; a tool for storing payloads called StashLog; and one for privilege escalation dubbed PrivateLog.
In the 2021 campaigns that Group-IB investigated, it discovered APT41 actors using tools such as Acunetix’s Web vulnerability scanner, Nmap, and OneForAll, and pen-testing tools such as subdomain3, subDomainsBrute, and Sublist3r.
“All these utilities — except Acunetix — are available to the public and used not only in hacker’s attacks but in penetration tests, for example,” Rostovcev says.
Rostovcev describes the tools as falling into multiple categories, including those that can be used to look for hidden directors and forgotten backup archives, and those for scanning ports and the services running on them.
A Prolific & Persistent State-Sponsored Threat Actor
APT41 (aka Winnti, Wicked Panda, Barium, and Blackfly) is a well-known APT group that first surfaced in 2010 with attacks on the likes of Google and Yahoo. The group is believed to be working on behalf of the Chinese government — or at least with its tacit support. Some have described APT41 as representing a collection of cyber threat actors carrying out directives from China’s intelligence agencies.
Though the US government indicted five APT41 members in 2020 and multiple security vendors have chronicled its activities and TTPs, the threat actor has continued its activities unfazed. The Cybereason report shows that APT41 stole hundreds of gigabytes of sensitive data from 30 organizations in North America in a recent cyber-espionage campaign.