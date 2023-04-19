



The advanced persistent threat known as APT41 now utilizes an open source red team tool, Google Command and Control (GC2), for use in cyber espionage campaigns demonstrating a change in its tactics. .

According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti and Bronze Atlas, was recently targeted by a Taiwanese media organization with phishing emails containing links to password-protected files hosted on Drive. targeted.

The GC2 payload is fetched when the file is opened. As detailed in TAG’s April Threat Horizons report, the tool takes commands from Google Sheets, hides malicious activity, and exfiltrates data to Google Drive. The GC2 tool also allows the attacker to download additional files from the drive onto the victim’s system.

According to TAG, APT41 also used GC2 to target an Italian job search site in July of last year.

TAG researchers said such incidents highlight several trends by China-linked attackers, including the use of public tools, the proliferation of tools written in the Go programming language, and targeting Taiwanese media. pointing out.

Using publishing tools

Chinese APT groups are increasingly using public (and legitimate) tools such as Cobalt Strike and other penetration testing software available on sites such as GitHub. It also uses lesser-known red team tools such as Brute Ratel and Sliver to evade detection during attacks.

The use of such “self-sufficiency” tactics is well-known among financially motivated cyber threat actors, but less so among resource-rich APTs who can develop custom tools. However, Christopher Porter, Google Cloud’s head of threat intelligence, said in the report, “State-sponsored cyber attackers could steal the strategies of cybercriminals and target such systems. It is wise to think that there is a

“Familiar domain names expose many of the natural defenses we have when viewing suspicious email, and their trustworthiness is often hard-coded into security systems that screen for spam and malware. will be done,” he says. Flagged use of cloud services for stealth and legitimacy.

What is APT41?

According to TAG’s analysis, the group’s activity shows a “continued overlap of public sector threat actors targeting private sector organizations with limited government ties.”

Last year, the same group was discovered deploying the Spyder Loader malware as part of a campaign to gather intelligence on government agencies in Hong Kong, using Log4j vulnerabilities to target multiple US government agencies. rice field.

Bronze Atlas is “one of the most prolific groups we’ve tracked in a long time,” said Marc Burnard, senior security researcher in Secureworks’ Counter Threat Unit, who has been tracking them since at least 2007. increase. It was very prolific,” he says.

According to Bernard, APT41 targets a variety of targets, including government, healthcare, high-tech manufacturing, telecommunications companies, aviation, non-governmental organizations (NGOs), and targets aligned with China’s political and economic interests. .

“They are primarily focused on stealing intellectual property and are also involved in targeting political information,” he points out.

Asked why this particular Taiwanese media company would be targeted, Barnard said the political climate in China and Taiwan, the purpose of using victims to target other organizations or individuals, or the use of “disruptive elements”. ” admits that there are several possible reasons. .

APT41 quiets the noise wall

As mentioned above, the TAG report shows that attackers send phishing emails containing links to legitimate cloud services to victims to avoid detection that links to trusted cloud services do not trigger email filters. I know what I did. Bernard points out that this is part of the group’s restyling. This is because until the last few years the attacks have been very loud and we weren’t too worried about our activity being detected.

But since seven cybercriminals, including members of APT41, were indicted in 2020, operations have become more stealthy, and Barnard said the APT now has legitimate tools such as Cobalt Strike. They are moving towards using and migrating to cloud services to hide their intentions and activities.

