Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a “sustained campaign” by the prolific China-based APT41 hacking group.
“APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims’ networks since 2023, enabling them to extract sensitive data over an extended period,” Google-owned Mandiant said in a new report published Thursday.
The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of “non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.”
Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.
The web shells act as a conduit to download the DUSTPAN (aka StealthVector) dropper that’s responsible for loading Cobalt Strike Beacon for command-and-control (C2) communication, followed by the deployment of the DUSTTRAP dropper post lateral movement.
DUSTTRAP, for its part, is configured to decrypt a malicious payload and execute it in memory, which, in turn, establishes contact with an attacker-controlled server or a compromised Google Workspace account in an attempt to conceal its malicious activities.
Google said the identified Workspace accounts have been remediated to prevent unauthorized access. It, however, did not reveal how many accounts were affected.
The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.
It’s worth noting here that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP share overlaps with those that have been codenamed DodgeBox and MoonWalk, respectively, by Zscaler ThreatLabz.
“DUSTTRAP is a multi-stage plugin framework with multiple components,” Mandiant researchers said, adding it identified at least 15 plugins that are capable of executing shell commands, carrying out file system operations, enumerating and terminating processes, capturing keystrokes and screenshots, gathering system information, and modifying Windows Registry.
It’s also engineered to probe remote hosts, perform domain name system (DNS) lookups, list remote desktop sessions, upload files, and conduct various manipulations to Microsoft Active Directory.
“The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates,” the company said. “One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector.”
GhostEmperor Comes Back to Haunt#
The disclosure comes as Israeli cybersecurity company Sygnia revealed details of a cyber attack campaign mounted by a sophisticated China-nexus threat group called GhostEmperor to deliver a variant of the Demodex rootkit.
The exact method used to breach targets is currently not clear, although the group has been previously observed exploiting known flaws in internet-facing applications. The initial access facilitates the execution of a Windows batch script, which drops a Cabinet archive (CAB) file to ultimately launch a core implant module.
The implant is equipped to manage C2 communications and install the Demodex kernel rootkit by using an open-source project named Cheat Engine to get around the Windows Driver Signature Enforcement (DSE) mechanism.
“GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process,” Security researcher Dor Nizar said.