Analysis Summary

APT41, also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti, is a well-known Chinese nation-state actor that has been implicated in a highly skilled cyberattack against the gaming and gambling sector.

The attackers surreptitiously obtained important data from the targeted organization over a minimum of six months, including but not limited to network configurations, user passwords, and LSASS process secrets. The attackers kept updating their toolkit during the incursion in response to the security team's reaction. They changed their tactics and equipment to evade detection and keep continuous access to the breached network by watching the defenders in action.

The multi-phase attack, which lasted almost nine months this year and targeted one of its clients, shows similarities to an intrusion set that researchers have been tracking under the name Operation Crimson Palace. The researchers added that these attacks rely on state-sponsored decision-makers and that the corporation replied to the issue four months ago. This time, they have a strong suspicion that APT41 was looking to make money.

With stealth in mind, the campaign uses a variety of strategies to accomplish its objectives, including a unique toolkit that not only gets beyond existing security software but also gathers important data and creates secret channels for ongoing remote access. The researchers characterized APT41 as being both extremely competent and systematic, pointing out that it can launch espionage attacks and contaminate the supply chain, which can result in theft of intellectual property and financially driven intrusions like ransomware and cryptocurrency mining.

The precise initial access vector utilized in the attack is currently unknown, however, evidence points to spear-phishing emails given the lack of active vulnerabilities in web applications that are accessible over the internet or a supply chain breach. After entering the targeted infrastructure, the attackers used a DCSync attack with the goal of obtaining service and admin account password hashes in order to increase their level of access. By exploiting these credentials, they were able to stay persistent and keep control of the network, paying special attention to developer and administrator accounts.

According to reports, the attackers systematically carried out reconnaissance and post-exploitation tasks, frequently modifying their toolkit in reaction to countermeasures and elevating their privileges to download and run more payloads. Phantom DLL Hijacking, the use of the genuine wmic.exe tool, and abusing their access to service accounts with administrator capabilities to initiate the execution are some of the methods they employ to achieve their objectives.

Following the retrieval of a malicious DLL file called TSVIPSrv.dll over the SMB protocol, the payload connects to a hard-coded command-and-control (C2) server. The implant tries to update its C2 information by crawling GitHub users if the hardcoded C2 fails. When the malware parses the HTML that was returned by the GitHub query, it looks for word sequences that are capitalized and only have spaces between them. Eight such words are gathered, and just the capital letters between A and P are extracted. The IP address of the new C2 server that will be utilized in the attack is encoded in an 8-character string that is produced by this process.

Profiling the compromised system and obtaining additional malware to be run through a socket connection are made possible by the first interaction with the C2 server. After their activities were discovered, the threat actors reportedly stopped communication for a few weeks before resurfacing with a new method for utilizing the LOLBIN wmic.exe to run extensively obfuscated JavaScript code found in a modified version of an XSL file ("texttable.xsl").

When the command WMIC.exe MEMORYCHIP GET is executed, it loads the texttable.xsl file indirectly in order to format the output, which compels the attacker's malicious JavaScript code to run. Subject to specific filtering criteria that probably help to target only those machines that are of interest to the threat actor, the JavaScript acts as a downloader that uses the domain time.qnapntp[.]com as a C2 server to retrieve a follow-on payload that fingerprints the machine and sends the information back to the server.

The code's intentional targeting of computers with IP addresses that contain the substring "10.20.22" is what sticks out. This indicates which particular devices—those in the subnets 10.20.22[0-9].[0–255]—are valuable to the attacker. The experts concluded that the attacker was utilizing this filtering method to make sure that only devices within the VPN subnet were impacted by the file by comparing this information with network logs and the IP addresses of the devices where the file was discovered.

Impact

• Sensitive Data Theft
• Financial Loss
• Unauthorized Access
• Security Bypass

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.