Analysis Summary

The Blackfly espionage group, also known as APT41, Winnti Group, or Bronze Atlas, is a sophisticated threat actor group that has been active since at least 2010 and is one of the longest-known Chinese APT groups.

The group has used a variety of malware families, including PlugX/Fast, Winnti/Pasteboy, and Shadowpad, to target a wide range of industries and sectors, including the computer gaming industry, semiconductor, telecoms, materials manufacturing, pharmaceutical, media, and advertising, hospitality, natural resources, fintech, and food sectors.

Intellectual property theft is a common motivation for cyber espionage groups, as stolen intellectual property (IP) can be used to gain a competitive advantage or to sell on the black market. The group's technological expertise has not changed, but its toolkit has been updated frequently—possibly to stay ahead of detection.

To avoid penetration by Blackfly and other APTs aiming at stealing IP, researchers recommend deploying an overall in-depth protection strategy and implementing multifactor authentication (MFA) throughout the company network. Implement strong security controls, such as firewalls, intrusion detection and prevention systems, and security information and event management (SIEM) solutions, as well as conducting regular security assessments and employee training.

Impact

• Theft Of Intellectual Property (IP)
• Cyber Espionage

Indicators of Compromise

MD5

• 72070b165d1f11bd4d009a81bf28a3e5
• f062183da590aba5e911d2392bc29181
• f0953ed4a679b987a2da955788737602
• bc85062de0f70afd44bb072b0b71a8cc
• d72f202c1d684c9a19f075290a60920f
• 0d068b6d0523f069d1ada59c12891c4a
• 393065ef9754e3f39b24b2d1051eab61
• 294cc02db5a122e3a1bc4f07997956da

SHA-256

• 0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0
• 166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107
• 1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3
• ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf
• c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db
• 3a7dfc0850136c59104d362b11183a5a61511d056ef393f6a6a63fdba9bbb804
• 33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49
• ed606d718874c29b9a1101775069d694b67eb5a4492404ddd98ebfcdcfcce205

SHA-1

• 3872c38625ca62de3bcbe29740c1a0b8921fcf48
• ba6d77f358b4fa00dda5d0e2fdd21c761d154f95
• 5b46b63e31f307757cedf305005ce9990a07cbf4
• 66fb63e6e49c2c201a0b6204e1d0269812a4b662
• 2cc76a0434a1d489c1547c7021a3dd68499141c3
• 9ad85457947b5ba0efea57fcb2df0653ac70c3f8
• c3874d5cc7e82ad373b67a3650b0dfee7c219f8f
• cbe737dc5f427d0d6202132e859ae25b4f48574c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Adopt multifactor authentication (MFA) across the enterprise network.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.