A China-linked Advanced Persistent Threat Group (APT), codenamed APT41, is suspected of using an “enhanced and updated version” of a known malware called StealthVector to create a previously undocumented backdoor called MoonWalk.
A new variant of StealthVector, also called DUSTPAN, was codenamed DodgeBox by Zscaler ThreatLabz, which discovered the bootloader strain in April 2024.
“DodgeBox is a bootloader that continues to boot a new backdoor called MoonWalk” – Security researchers Yin Hong Chang and Sudeep Singh said. “MoonWalk shares many of the evasion techniques implemented in DodgeBox and uses Google Drive for command-and-control communication (C2).”
APT41 is an alias given to a prolific China-linked state threat actor known to have been active since at least 2007. It is also tracked by the wider cyber security community under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas , Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda and Winnti.
In September 2020, the US Department of Justice (DoJ) indicted several threat actors associated with the hacking team for orchestrating infiltration campaigns targeting more than 100 companies worldwide.
“The intrusions (…) contributed to the theft of source code, code signing certificates, customer account data, and valuable business information,” the Justice Department said. said at the time, adding that they also included “other criminal schemes, including ransomware and crypto-hacking schemes.”
Over the past few years, the threat group has been connected for hacking US state government networks between May 2021 and February 2022, in addition to attacks targeting Taiwanese media organizations using open source code known as Google Command and Control (GC2).
APT41’s use of StealthVector was documented for the first time by Trend Micro in August 2021, describing it as a shellcode loader written in C/C++ used to deliver the Cobalt Strike Beacon and a shellcode implant called ScrambleCross (aka SideWalk).
DodgeBox is rated as an improved version of StealthVector, which also includes various techniques such as call stack spoofing, DLL sideloading, and DLL extraction to evade detection. The exact method of spreading the malware is currently unknown.
“APT41 uses DLL sideloading as a means to execute DodgeBox,” the researchers said. “They use a legitimate executable (taskhost.exe) signed by Sandboxie to load a malicious DLL (sbiedll.dll).”
A dummy DLL (such as DodgeBox) is a loader DLL written in C that acts as a conduit to decrypt and run the second-stage payload, the MoonWalk backdoor.
The attribution of DodgeBox to APT41 stems from the similarities between DodgeBox and StealthVector; using DLL sideloading, a method widely used by China-nexus groups to deliver malware such as PlugX; and the fact that DodgeBox samples were submitted to VirusTotal from Thailand and Taiwan.
“DodgeBox is a newly identified malware downloader that uses multiple techniques to evade both static and behavioral detection,” the researchers said.
“It offers a variety of capabilities, including decrypting and loading embedded DLLs, performing environment and binding checks, and performing cleanup routines.”
