Several organizations operating in the global shipping and logistics, media and entertainment, technology and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey and the UK have been targeted in a “sustained campaign” by the prolific Chinese company APT41 hacker group.
“APT41 has successfully penetrated and maintained sustained unauthorized access to multiple victim networks since 2023, allowing them to mine sensitive data over an extended period,” Google-owned Mandiant said. said in a new report released Thursday.
The threat intelligence firm described the controversial group as unique among China’s Nexus actors for using “non-public malware that is typically intended for espionage operations in activities that appear to be outside the scope of state-sponsored missions.”
Attack chains include the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and public tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and steal interesting data.
The web shells act as a conduit to load the DUSTPAN (aka StealthVector) dropper, which is responsible for loading the Cobalt Strike Beacon for command and control (C2) communications, followed by the deployment of the DUSTTRAP dropper after lateral movement.
DUSTTRAP, on the other hand, is configured to decrypt a malicious payload and execute it in memory, which in turn contacts an attacker-controlled server or compromised Google Workspace account in an attempt to hide its malicious activity.
Google said the discovered Workspace accounts have been patched to prevent unauthorized access. However, it is not known how many accounts were affected.
The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle databases to a local text file and PINEGROVE to transfer large amounts of sensitive data from compromised networks by abusing Microsoft OneDrive as an output vector.
It should be noted here that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP match the codenamed families DodgeBox and MoonWalkrespectively, Zscaler ThreatLabz.
“DUSTTRAP is a multi-level plug-in framework with multiple components,” the Mandiant researchers said, adding that at least 15 plugins have been identified that are capable of executing shell commands, performing file system operations, listing and terminating processes, recording keystrokes and screenshots, collecting system information and modifying the Windows registry.
It is also designed to verify remote hosts, perform Domain Name System (DNS) lookups, list remote desktop sessions, download files, and perform various manipulations with Microsoft Active Directory.
“The DUSTTRAP malware and related components seen during the intrusion were signed with what are believed to be stolen code signing certificates,” the company said. “One of the code signing certificates appears to have been linked to a South Korean company operating in the gaming industry sector.”
GhostEmperor returns to Haunt
The disclosure comes after Israeli cybersecurity firm Sygnia revealed details of a cyber attack campaign orchestrated by a sophisticated China-Nexus threat group called GhostEmperor deliver the Demodex rootkit variant.
The exact method used to hack the targets is currently unclear, although the group has previously been observed exploiting known flaws in Internet programs. Initial access facilitates the execution of a Windows batch script that removes the archive file (CAB) to finally run the main implant module.
The implant is equipped to manage C2 communications and install the Demodex kernel rootkit using an open source project called Cheat Engine to bypass Windows Driver Signature Enforcement (DSE) mechanism.
“GhostEmperor uses a multi-stage malware to achieve stealthy execution and persistence and uses multiple methods to thwart the analysis process,” said security researcher Dor Nizar said.
