Home Security Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain

Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain

by


The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry.

“Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords, and secrets from the LSASS process,” Ido Naor, co-founder and CEO of Israeli cybersecurity company Security Joes, said in a statement shared with The Hacker News.

“During the intrusion, the attackers continuously updated their toolset based on the security team’s response. By observing the defenders’ actions, they altered their strategies and tools to bypass detection and maintain persistent access to the compromised network.”

The multi-stage attack, which targeted one of its clients and lasted nearly nine months this year, exhibits overlaps with an intrusion set tracked by cybersecurity vendor Sophos under the moniker Operation Crimson Palace.

Cybersecurity

Naor said the company responded to the incident four months ago, adding “these attacks are dependent upon state-sponsored decision makers. This time we suspect with high confidence that APT41 were after financial gain.”

The campaign is designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvest critical information and establish covert channels for persistent remote access.

Security Joes described APT41 as both “highly skilled and methodical,” calling out its ability to mount espionage attacks as well as poison the supply chain, thereby leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.

The exact initial access vector used in the attack is presently unknown, but evidence veers towards it being spear-phishing emails, given the absence of active vulnerabilities in internet-facing web applications or a supply chain compromise.

“Once inside the targeted infrastructure, the attackers executed a DCSync attack, aiming to harvest password hashes of service and admin accounts to expand their access,” the company said in its report. “With these credentials, they established persistence and maintained control over the network, focusing particularly on administrative and developer accounts.”

The attackers are said to have methodically conducted reconnaissance and post-exploitation activities, often tweaking its toolset in response to the steps taken to counter the threat and escalate their privileges with the end goal of downloading and executing additional payloads.

Some of the techniques used to realize their goals include Phantom DLL Hijacking and the use of the legitimate wmic.exe utility, not to mention abusing their access to service accounts with administrator privileges to trigger the execution.

Hackers Target Gambling Sector

The next-stage is a malicious DLL file named TSVIPSrv.dll that’s retrieved over the SMB protocol, following which the payload establishes contact with a hard-coded command-and-control (C2) server.

“If the hardcoded C2 fails, the implant attempts to update its C2 information by scraping GitHub users using the following URL: github[.]com/search?o=desc&q=pointers&s=joined&type=Users&.”

“The malware parses the HTML returned from the GitHub query, searching for sequences of capitalized words separated only by spaces. It collects eight of those words, then extracts only the capital letters between A and P. This process generates an 8-character string, which encodes the IP address of the new C2 server that will be used in the attack.”

The initial contact with the C2 server paves the way for profiling the infected system and fetching more malware to be executed via a socket connection.

Security Joes said that the threat actors went silent for several weeks after their activities were detected, but eventually returned with a revamped approach to execute heavily obfuscated JavaScript code present within a modified version of an XSL file (“texttable.xsl”) using the LOLBIN wmic.exe.

Cybersecurity

“Once the command WMIC.exe MEMORYCHIP GET is launched, it indirectly loads the texttable.xsl file to format the output, forcing the execution of the malicious JavaScript code injected by the attacker,” the researchers explained.

The JavaScript, for its part, serves as a downloader that uses the domain time.qnapntp[.]com as a C2 server to retrieve a follow-on payload that fingerprints the machine and sends the information back to the server, subject to certain filtering criteria that likely serves to target only those machines that are of interest to the threat actor.

“What really stands out in the code is the deliberate targeting of machines with IP addresses containing the substring ‘10.20.22,’” the researchers said. “

“This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22[0-9].[0-255]. By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex