Rewterz Threat Alert – APT41 and LOWKEY launch financially motivated attacks

Severity

High

Analysis Summary

APT41 is described by FireEye as a Chinese state-sponsored group involved in espionage and attacks that financially benefit the group. FireEye has published a report looking at some of the malware used by the group, LOWKEY and DEADEYE. The first malware family analyzed is three variants of DEADEYE, which use RC5 encryption that FireEye note is unusual in malware they typically analyze. DEADEYE also features an additional RC4 layer. Two variants of LOWKEY were also identified, one that uses a listener on TCP port 53, the other that listens on TCP port 80 (HTTP) and intercepts URLs containing commands. LOWKEY has been used in tightly targeted attacks and utilizes system specific payloads.

Impact

Exposure of sensitive information

Indicators of Compromise

MD5

• 2b9244c526e2c2b6d40e79a8c3edb93c
• 04be89ff5d217796bc68678d2508a0d7
• 092ae9ce61f6575344c424967bd79437
• 37e100dd8b2ad8b301b130c2bca3f1ea
• 39fe65a46c03b930ccf0d552ed3c17b1
• 5322816c2567198ad3dfc53d99567d6e
• 557ff68798c71652db8a85596a4bab72
• 64e09cf2894d6e5ac50207edff787ed7
• 650a3dce1380f9194361e0c7be9ffb97
• 7dc6bbc202e039dd989e1e2a93d2ec2d
• 7f05d410dc0d1b0e7a3fcc6cdda7a2ff
• 904bbe5ac0d53e74a6cefb14ebd58c0b
• c11dd805de683822bf4922aecb9bfef5
• d49c186b1bfd7c9233e5815c2572eb98
• e58d4072c56a5dd3cc5cf768b8f37e5e
• eb37c75369046fb1076450b3c34fb8ab
• ee5b707249c562dc916b125e32950c8d
• ff8d92dfbcda572ef97c142017eec658
• ffd0f34739c1568797891b9961111464

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious from emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.