Researchers from FireEye have released a detailed report into a Chinese state-sponsored cyber espionage group they have named APT41. Over a period of seven years, the APT41 group has conducted cyber espionage activities against organizations in 14 countries, including the United States, the UK, France, Switzerland, South Korea, South Africa, Turkey, India, Italy and Japan. Targeted organizations belong to various industries including healthcare, media, pharmaceuticals, telecoms, travel, education and retail. Some of those compromises were timed in order to obtain intelligence related to corporate events, such as mergers.

What differentiates APT41 from other state-sponsored groups is that it has also targeted organizations related to the video game industry, in what appears to be financially motivated attacks, for personal rather than state gain. These attacks have occurred since 2014 and have occurred concurrently with the cyber espionage attacks. However, APT41 has used tactics, techniques and procedures developed as part of its video game industry attacks to improve the success rate of its cyber espionage attacks.

The APT41 group often utilizes stolen digital certificates to allows it to sign malware, making it much more likely to appear to be benign. Legitimately signed malware is also a key component of one of APT41’s preferred attack vectors, targeted supply chain compromises. In June 2018, a supply chain compromise identified specific targets to receive malicious payloads based upon MAC address or hard drive serial numbers.

Researchers found APT41 utilizes over 46 different types of malware in its campaigns, including rootkits and master boot record bootkits (when particularly stealthy methods are required for specific targets). The APT41 group has remained persistent and able to adjust to reacquire a foothold into organizations within hours or days of actions taken by security teams to remove its malware. As an example, in a year-long campaign, APT41 utilized almost 150 unique pieces of malware, including backdoors, keyloggers, rootkits and information stealers, resulting in the compromise of hundreds of systems.

The malware deployed by APT41 can use genuine websites for command and control (C2) traffic, sites such as Microsoft Technet, Pastebin and Github.

How Does It Propagate?

APT41 uses spear phishing and supply chain compromises as common initial infection vectors. They are not known to use self-propagating malware, which would be considered too noisy for their purposes.

When/How Did BluVector Detect It?

All of the 14 publicly available samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the samples would have been detected an average of 20 months prior to their release.