The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry.
“Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords, and secrets from the LSASS process,” Ido Naor, co-founder and CEO of Israeli cybersecurity company Security Joes, said in a statement shared with The Hacker News.
“During the intrusion, the attackers continuously updated their toolset based on the security team’s response. By observing the defenders’ actions, they altered their strategies and tools to bypass detection and maintain persistent access to the compromised network.”
The multi-stage attack, which targeted one of its clients and lasted nearly nine months this year, exhibits overlaps with an intrusion set tracked by cybersecurity vendor Sophos under the moniker Operation Crimson Palace.
Naor said the company responded to the incident four months ago, adding “these attacks are dependent upon state-sponsored decision makers. This time we suspect with high confidence that APT41 were after financial gain.”
The campaign is designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvest critical information and establish covert channels for persistent remote access.
Security Joes described APT41 as both “highly skilled and methodical,” calling out its ability to mount espionage attacks as well as poison the supply chain, thereby leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.
The exact initial access vector used in the attack is presently unknown, but evidence veers towards it being spear-phishing emails, given the absence of active vulnerabilities in internet-facing web applications or a supply chain compromise.
“Once inside the targeted infrastructure, the attackers executed a DCSync attack, aiming to harvest password hashes of service and admin accounts to expand their access,” the company said in its report. “With these credentials, they established persistence and maintained control over the network, focusing particularly on administrative and developer accounts.”
The attackers are said to have methodically conducted reconnaissance and post-exploitation activities, often tweaking its toolset in response to the steps taken to counter the threat and escalate their privileges with the end goal of downloading and executing additional payloads.
Some of the techniques used to realize their goals include Phantom DLL Hijacking and the use of the legitimate wmic.exe utility, not to mention abusing their access to service accounts with administrator privileges to trigger the execution.
The next-stage is a malicious DLL file named TSVIPSrv.dll that’s retrieved over the SMB protocol, following which the payload establishes contact with a hard-coded command-and-control (C2) server.
“If the hardcoded C2 fails, the implant attempts to update its C2 information by scraping GitHub users using the following URL: github[.]com/search?o=desc&q=pointers&s=joined&type=Users&.”
“The malware parses the HTML returned from the GitHub query, searching for sequences of capitalized words separated only by spaces. It collects eight of those words, then extracts only the capital letters between A and P. This process generates an 8-character string, which encodes the IP address of the new C2 server that will be used in the attack.”
The initial contact with the C2 server paves the way for profiling the infected system and fetching more malware to be executed via a socket connection.
Security Joes said that the threat actors went silent for several weeks after their activities were detected, but eventually returned with a revamped approach to execute heavily obfuscated JavaScript code present within a modified version of an XSL file (“texttable.xsl”) using the LOLBIN wmic.exe.
“Once the command WMIC.exe MEMORYCHIP GET is launched, it indirectly loads the texttable.xsl file to format the output, forcing the execution of the malicious JavaScript code injected by the attacker,” the researchers explained.
The JavaScript, for its part, serves as a downloader that uses the domain time.qnapntp[.]com as a C2 server to retrieve a follow-on payload that fingerprints the machine and sends the information back to the server, subject to certain filtering criteria that likely serves to target only those machines that are of interest to the threat actor.
“What really stands out in the code is the deliberate targeting of machines with IP addresses containing the substring ‘10.20.22,’” the researchers said. “
“This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22[0-9].[0-255]. By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected.”
