Pierluigi Paganini August 21, 2019

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”

FireEye experts published a detailed report on the evolution of the group’s tactics, techniques, and procedures (TTPs), they found an overlap with other known Chinese espionage operator like BARIUM and the Winnti APT groups.

APT41 leverages several techniques to carry out the initial compromise, including spearphishing, moving laterally from trusted third parties, leveraging stolen credentials.

Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (.chm) files.

The arsenal of the group includes backdoors, credential stealers, keyloggers, and rootkits. The APT41 cyber espionage group also leveraged TeamViewer to deploy its malware into the targets’ compromised environment.

The attack against a publicly-accessible web server at a U.S.-based research university took place on April 2019. The hackers exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to compromise the systems and load additional payloads, including a variant of the China Chop web shell.

The attack involved two additional files, the HIGHNOON backdoor and a rootkit, then within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to send commands to the compromised server.

“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins.” reads the analysis published by FireEye.

Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz post-exploitation tools, reflectively loading Mimikatz 2.0 into memory.

The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.

Summarizing the hackers were able to exploit the vulnerability in vulnerable Confluence system to execute command and deploy custom malware. While Mimikatz failed, the ACEHASH malware allowed the attackers to harvest a single credential from the system. The good news is that FireEye successfully neutralized the attack.

Pierluigi Paganini

(SecurityAffairs – APT41, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]