FireEye Threat Intelligence assesses with high confidence that APT41 is responsible for series of 10 attacks targeting companies and organizations in Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021. Attacks involve the deployment of a remote access trojan (RAT) on the victim's infected systems.
The attacks have been attributed to APT31 (FireEye), which is tracked by the cybersecurity companies under the name Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks).
According to FireEye, APT41 is a Chinese state-sponsored espionage group that is also conducting financially motivated activity for personal gain. APT41 espionage operations against the healthcare, high-tech, and telecommunications sectors include establishing and maintaining strategic access, and through mid-2015, the theft of intellectual property.
Positive Technologies told about a new malware dropper that was used in these attacks, the main objective of it consists in the creation of two files on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then launched). Dropper can download other malware from a remote command-and-control server, perform file operations, exfiltrate sensitive data, and even delete itself from the compromised system.
"The code for processing the [self-delete] command is particularly intriguing: all the created files and registry keys are deleted using a bat-file," — Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov said.
During their investigation, PT ESC specialists found a Secureworks report describing the APT31 DropboxAES RAT trojan. Analysis of the detected malware instances allowed them to assert that the group is also behind the studied attack. Numerous overlaps were found in functionality, techniques, and mechanisms used, starting with the injection of malicious code (up to the names of the libraries used) and ending with logical blocks and structures used inside the program code. The paths along which the malware working directories are located and the registry keys through which the persistence mechanism and their identity to the working directories are provided are also identical. In addition, the command handlers executed by the malware proved to be extremely similar, while the self-delete mechanism is identical.
The main difference between this version of the malware and that reviewed by Secureworks lies in the communication of the main load with the control server. In the cases studied, there was a custom communication protocol that Dropbox does not use to exchange data.