
The Cyber Face of Economic Development
Like other Chinese espionage operators, hacker groups, espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity.
Indicators of Compromise
Domains (533)
updata.microsoft-api.workers.devjavaupdate.biguserup.workers.devtrojan.win64.manuscrypt.dogentle-voice-65e3.bsnl.workers.devsocialpt2021.clubeast.winsproxy.comd.diragame.com24893cb6.ns1.extrsports.ruhdfllmkinoshka.online2bc1b4ba.ns1.mssetting.comsystem.hivletwiki.comsecurity.hivcorpsolution.netcloud01.tkholdmem.dbhubspi.comns.time12.cfdown-flash.comns.glbaitech.comtoa.mygametoa.com+513 moreHashes (2095)
8c93083440cd9ce5fe4cf58c3348bd85bdf07f6c49f1daea8a115dd6fce51a1328d863cf00352d167c44272dba415c36867a812512c736fe6c9165b1c1026faad0051fb9f51dff35531c720aae6e053b9db9be8e7b56f78fb9d4ec771a79f53a330b29ed17f719dac81a4bfe11caf0eac0efacd19d14d0901275894d8231fe25db56598ddcf869f88df5ad8da2a584462a94f64daf1d2a672f78f73ef96fda28f94cc78841d8e11029da9186a7db9976d0dcfb6d24e3137e7249e624e1e0b887b68307ed192d393e886d8b982e4a2fd232ee13c2f20cd05f91358596144461b7606d81c07d41465ffcad17bd5cdf533d398c270c67cd915134ebbf7108090789b82456963d04f44e83442b6393face47082dbca2c3ca5c5410de9951a5c681f0c42235c8ebf28e56ae5873102b51da2cc49cbbe43192ca2f318c4dfc874448d9b85ebd000cc907db409a259611f56abc7dead19c6ed51fd0f2d04fe529e2d8dab96242305255cfb84ce81e9c720610b9067c8afe857819a098a44cab24e9da5cf6a086351d01b73714afd3971c26b4078c75e10420f5a556e25654ff4c9aa864100cc2885e7bd1bddd86f8b6fab426f085460cefd4a65b8a4396c05bf582cb20+2075 moreIPv4 (322)
187.109.15.2203.160.86.9267.205.132.162154.204.58.14545.140.146.169107.172.210.6945.144.31.31185.172.129.2155.188.108.2245.142.214.242149.28.71.7045.153.231.32107.181.187.184194.195.125.121185.250.150.22103.238.225.37149.28.15.152172.105.94.67154.204.58.135172.104.206.48+302 moreEmails (126)
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]+106 moreAPT Groups
Ice Fog
China
HAFNIUM
China
Axiom
China
Leviathan
China
TA428
China
Turla Group
China
Notes
<b>Initial Compromise</b><div><br></div><div>APT41 leverages a variety of techniques to perform an initial compromise, including spear-phishing, moving laterally from trusted third parties, leveraging stolen credentials, using the CHINACHOP web shell, and accessing victim organizations using remote desktop sharing software, such as TeamViewer. APT41 often relies on the use of simple spear-phishing email with attachments such as compiled HTML (.chm) files to initially compromise their victims. However, once in a victim organization, the operation can leverage more sophisticated TTPs and deploy additional malware tools.<br></div><div><br></div><div><b>Observed Vulnerabilities </b></div><div><br></div><div>• CVE-2012-0158 </div><div>• CVE-2015-1641 </div><div>• CVE-2017-0199 </div><div>• CVE-2017-11882 </div><div>• CVE-2019-3396<br></div><div><br></div><div><b>Establish Foothold<br></b></div><div><b><br></b></div><div>APT41 uses a variety of malware and tools, both public and unique to the group, to establish a foothold with a victim's environment, including:<br></div><div><br></div><div><div>• ASPXSpy</div><div>• ACEHASH</div><div>• Beacon</div><div>• CHINACHOP</div><div>• COLDJAVA</div><div>• CRACKSHOT</div><div>• CROSSWALK</div><div>• DEADEYE</div><div>• DOWNTIME</div><div>• EASYNIGHT</div><div>• Gh0st</div><div>• HIGHNOON.LITE</div><div>• HIGHNOON.PASTEBOY</div><div>• HOTCHAI</div><div>• HKDOOR</div><div>• JUMPALL</div><div>• LATELUNCH</div><div>• LIFEBOAT</div><div>• LOWKEY</div><div>• njRAT</div><div>• POISONPLUG</div><div>• POISONPLUG.SHADOW</div><div>• POTROAST</div><div>• SAGEHIRE</div><div>• SOGU</div><div>• SWEETCANDLE</div><div>• TERA</div><div>• TIDYELF</div><div>• XDOOR</div><div>• WINTERLOVE</div><div>• ZXSHELL</div></div><div><br></div><div><b>Escalate Privileges<br></b></div><div><br></div><div>APT41 escalates its privileges in systems by leveraging custom-made and publicly available tools to gather credentials and dump password hashes. The tools include:<br></div><div><br></div><div><div>• ACEHASH</div><div>• GEARSHIFT</div><div>• GOODLUCK</div><div>• Mimikatz</div><div>• NTDSDump</div><div>• PHOTO</div><div>• PwDump</div><div>• WINTERLOVE</div></div><div><br></div><div><b>Internal Reconnaissance<br></b></div><div><br></div><div>APT41 conducts network reconnaissance after using compromised credentials to log on to other systems. The group leverages built-in Windows commands, such as "netstat" and "net share," in addition to the custom and non-public malware families SOGU, HIGHNOON, and WIDETONE.</div><div><br></div><div><b>Lateral Movement<br></b></div><div><b><br></b></div><div>APT41 assesses the network architecture of an organization and identifies pivotal systems for enabling further access. The group has repeatedly identified intermediary systems that provide access to otherwise segmented parts of an organization's network (as outlined in Case Study: Video Game Industry Targeting). Once APT41 has identified intermediary systems, it moves quickly to compromise systems. In one case, hundreds of systems across several geographic regions were compromised in as little as two weeks. <br></div><div><br></div><div>APT41 frequently uses the publicly available utility WMIEXEC to move laterally across an environment. WMIEXEC is a tool that allows for the execution of WMI commands on remote machines. Examples of commands executed by the utility include:<br></div><div><br></div><div><ul><li>cmd.exe /c whoami > C:\wmi.dll 2>&1 </li><li>cmd.exe /c del C:\wmi.dll /F > nul 2>&1 </li><li>cmd.exe /c a.bat > C:\wmi.dll 2>&1</li></ul></div><div><br></div><div><b>Maintain Presence<br></b></div><div><br></div><div>To maintain presence, APT41 relies on backdoors, a Sticky Keys vulnerability, scheduled tasks, bootkits, rootkits, registry modifications, and creating or modifying startup files. APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic.<br></div><div><br></div><div><br></div><div>APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors. The bootkit performs raw disk operations to bypass the typical MBR boot sequence and execute the backdoors prior to the host operating system. This technique was implemented to ensure the malware would execute at system runtime and was designed to be difficult to detect and prevent. APT41 ROCKBOOT samples have been signed with legitimate code-signing certificates from MGame and Neowiz, two South Korean video game companies<br></div><div><br></div><div><br></div><div>In some instances, APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment. We observed APT41 use PowerSploit with the capability to use WMI as a persistence mechanism. The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence.<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
Mitigation
<span style="color: rgb(29, 28, 29); font-family: Slack-Lato, Slack-Fractions, appleLogo, sans-serif; font-size: 15px; font-variant-ligatures: common-ligatures; background-color: rgb(248, 248, 248);">NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:</span><div><br></div><div><b>Patch systems and equipment promptly and diligently</b>. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-ofservice on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.<br></div><div><br></div><div><b>Enhance monitoring of network traffic, email, and endpoint systems.</b> Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.<br><span class="c-mrkdwn__br" style="display: block; height: 8px; color: rgb(29, 28, 29); font-family: Slack-Lato, Slack-Fractions, appleLogo, sans-serif; font-size: 15px; font-variant-ligatures: common-ligatures; background-color: rgb(248, 248, 248);"></span><br></div><div><b>Use protection capabilities to stop malicious activity</b>. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.</div>