Ahead of its annual BlackBerry Security Summit, the BlackBerry Ltd. Research & Intelligence team today unveiled new research into Advanced Persistent Threat group 41, finding that it was linked to far more hacking campaigns than previously known.
APT 41, also known as Wicked Panda and Winti, is a Chinese state-sponsored hacking group that has previously been linked to a Chinese government intelligence agency. The group is prolific in its hacking activity and allegedly carries out espionage activities for the Chinese Communist Party and financially motivated activities outside state control.
The group has been in the spotlight several times over the last 18-months. In March 2020, FireEye Inc. detailed a global intrusion campaign being operated by APT41 using multiple exploits. These used phishing emails with malicious attachments and an initial infection vector. Having gained access, the group would then typically deploy more advanced malware to establish a persistent foothold.
The U.S. Department of Justice Members subsequently indicted members of the group in September 2020.
One previous commonality in those earlier APT41 attacks was using Cobalt Strike with a bespoke malleable command-and-control profile. Cobalt Strike is commercial penetration testing software that has become a favorite tool of hackers worldwide.
The Blackberry researchers dug into past disparate malware campaigns where Cobalt Strike with malleable C&C was being used, not a particularly common hacking method. Perhaps not surprisingly, they found many previously unlinked attacks were attributable to APT41.
“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” the researchers note. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”
While digging around, the researchers also discovered new phishing lures targeting victims in India, containing information related to new tax legislation and COVID-19 statistics.
The messages targeting Indians masqueraded as being from Indian government entities. These lures were part of an execution chain and aimed to load and execute a Cobalt Strike Beacon on a victim’s network.
“With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the researchers concluded. “And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide.”