The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyberespionage group APT41, noting that the group has been taking advantage of Cobalt Strike activity using a bespoke Malleable C2 Profile that uses COVID-19 phishing lures to target victims in India.
The team was able to link phishing lures via PDF and ZIP files containing information related to tax legislation and COVID-19 statistics, masqueraded as being from Indian government entities.
The US government filed charges in 2020 against five APT41 members for hacking into more than 100 companies across the world. US officials said APT41 members managed to compromise foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong.
The APT41 group is one of the most infamous and active state-sponsored hacking groups. ATP41’s operations were first detailed in a FireEye report published in August 2019, with the report linking the group to some of the biggest supply-chain attacks in recent years, and to older hacks going to as early as 2012.
The group uses publicly-available profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and others. BlackBerry found connections between this campaign and others published by FireEye in 2020, as well as Prevailion, Subex and PTSecurity.
“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic,” the team said in its report.
“APT41 is a prolific Chinese state sponsored cyber threat group that has conducted malware campaigns related to espionage and financially motivated criminal activity dating as far back as 2012. This threat group has targeted organizations around the world, in many verticals such as travel, telecommunications, healthcare, news, and education. APT41 has often used phishing emails with malicious attachments as an initial infection vector. Once they have gained access to a target organization, they typically deploy more advanced malware to establish a persistent foothold. This group uses a variety of different malware families including information stealers, keyloggers, and backdoors.”
The researchers said they discovered what they believe to be additional APT41 infrastructure and phishing lures targeting victims in India that contained information related to new tax legislation and COVID-19 statistics. These messages purported to be from Indian government entities, the report said.
The goal of the attack was to load and execute a Cobalt Strike Beacon on a victim’s network using the phishing lures and attachments.
FireEye and other cybersecurity companies have spent years documenting APT41’s tactics and the BlackBerry team said it found a malleable C2 profile on GitHub that resembled one mentioned by FireEye and authored by a Chinese security researcher with the pseudonym ‘1135’.
“These profiles had several similarities: both used jQuery Malleable C2 Profiles, and portions of the HTTP GET profile block are almost identical. HTTP header fields such as ‘accept’, ‘user-agent’, ‘host’, and ‘referer’, as well as the ‘set-uri’ field, were all exact matches to the profile data listed in the FireEye blog,” the report explained.
“By extracting and correlating the HTTP headers used in the GET and POST requests defined in the Beacon configs, we can generate revealing connections between seemingly disparate Cobalt Strike infrastructure. While we identified a relatively small number of Beacons using the BootCSS domain as part of their malleable C2 configuration, there were also a few clusters with unique configuration metadata that enabled us to identify additional beacons related to APT41. The Beacons served by these new nodes are using a different malleable profile to those in the original cluster that attempts to make the Beacon traffic look like legitimate Microsoft traffic.”
The domains the team found also have similar naming convention, and in looking through the campaign, BlackBerry discovered a set of three PDFs linked to .microsoftdocs.workers[.]dev domains targeting victims in India. The lures promised information related to taxation rules and COVID-19 advisories.
The first PDF related to tax rules contains an embedded PowerShell script that is executed while the PDF is displayed to the user.
“The PowerShell script downloads and executes a payload via “%temp%conhost.exe’, which loads a payload file called ‘event.dat’. This .DAT file is a Cobalt Strike Beacon. The second and third lures each have similar execution flows and component parts; a PDF lure, conhost.exe, and an event.* payload. In this case, these event files had a .LOG extension, rather than .DAT,” the report found.
“The biggest difference between the second and third lures is that the first uses a self-extracting archive named ‘India records highest ever single day covid_19 recoveries.pdf.exe’, and the second uses a ZIP file named ‘India records highest ever single day COVID-19 recoveries.zip’. Lures two and three also contain the same information within their respective PDFs. Both relate to a record high number of COVID-19 recoveries in India, information which purports to be from the Indian Government Ministry of Health & Family Welfare.”
The researchers noted that a previous September 2020 report from Subex found similar phishing attempts also targeted at Indian nationals. That report attributes the attack to the Evilnum APT group but the BlackBerry researchers disagreed, citing a number of reasons why they believe the culprit is APT41.
The payloads are actually Cobalt Strike Beacons, a hallmark of APT41 according to BlackBerry, and there are a number of configuration settings that tie the attack to APT41.
“With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure. And while no one security group has that same level of funding, by pooling our collective brainpower we can still uncover the tracks that the cybercriminals involved worked so hard to hide,” the researchers added.