APT41
APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.[1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .004 | Application Layer Protocol: DNS | |
.002 | Application Layer Protocol: File Transfer Protocols |
APT41 used exploit payloads that initiate download via FTP.[2] |
||
.001 | Application Layer Protocol: Web Protocols |
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[2] |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT41 created a RAR archive of targeted files for exfiltration.[1] |
Enterprise | T1197 | BITS Jobs | ||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT41 created and modified startup files for persistence.[1] APT41 added a registry key in |
Enterprise | T1110 | .002 | Brute Force: Password Cracking |
APT41 performed password brute-force attacks on the local admin account.[1] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][2] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
APT41 used |
||
.004 | Command and Scripting Interpreter: Unix Shell |
APT41 executed |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
APT41 created user accounts and adds them to the User and Admin groups.[1] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT41 modified legitimate Windows services to install malware backdoors.[1] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[2] |
Enterprise | T1486 | Data Encrypted for Impact |
APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1] |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms | |
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features | |
Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[3] |
Enterprise | T1190 | Exploit Public-Facing Application |
APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[2] |
|
Enterprise | T1203 | Exploitation for Client Execution |
APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1] |
|
Enterprise | T1133 | External Remote Services |
APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1] |
|
Enterprise | T1008 | Fallback Channels |
APT41 used the Steam community page as a fallback mechanism for C2.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
APT41 has executed |
|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT41 used legitimate executables to perform DLL side-loading of their malware.[1] |
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs |
APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1] |
.003 | Indicator Removal on Host: Clear Command History |
APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1] |
||
.004 | Indicator Removal on Host: File Deletion | |||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT41 used a keylogger called GEARSHIFT on a target system.[1] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
APT41 attempted to masquerade their files as popular anti-virus software.[1] |
Enterprise | T1112 | Modify Registry |
APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1] |
|
Enterprise | T1104 | Multi-Stage Channels |
APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[2] |
|
Enterprise | T1046 | Network Service Scanning |
APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets.[1] |
|
Enterprise | T1135 | Network Share Discovery |
APT41 used the |
|
Enterprise | T1027 | Obfuscated Files or Information | ||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT41 used the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1] |
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1] |
Enterprise | T1055 | Process Injection |
APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1] |
|
Enterprise | T1090 | Proxy |
APT41 used a tool called CLASSFON to covertly proxy network communications.[1] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
Enterprise | T1496 | Resource Hijacking |
APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1] |
|
Enterprise | T1014 | Rootkit | ||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT41 used a compromised account to create a scheduled task on a system.[1] |
Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File | |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1] |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1] |
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery |
APT41 used the |
|
Enterprise | T1033 | System Owner/User Discovery |
APT41 used the WMIEXEC utility to execute |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
APT41 used Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[2] |
Enterprise | T1078 | Valid Accounts |
APT41 used compromised credentials to log on to other systems.[1] |
|
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1] |
Enterprise | T1047 | Windows Management Instrumentation |
APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1] |