DodgeBox: new bootloader from APT41 masterfully bypasses Asian firewalls

[Carding Forum]

Chinese hackers have spent years honing their skills to steal business secrets stealthily.

The China-linked APT41 group is suspected of using an "enhanced version" of the well-known StealthVector malware to deliver a new backdoor called MoonWalk. The new StealthVector variant was codenamed DodgeBox by Zscaler specialists, who discovered it in April 2024.

DodgeBox is a downloader that downloads the new MoonWalk backdoor. Security researchers Yin Hong Chang and Sudip Singh noted that MoonWalk uses a variety of DodgeBox-like evasion techniques and uses Google Drive for C2 communications.

According to experts, APT41 has been operating since at least 2007. It is also known by other names, such as Axiom, Blackfly, and Brass Tour. In September 2020, the US Department of Justice announced charges against several members of this group for hacking more than 100 companies around the world. These attacks contributed to the theft of source code, software signing certificates, customer account data, and important business information.

Over the past few years, APT41 has been linked to multiple breaches of US state government networks, as well as attacks on Taiwanese media organizations using the GC2 tool. The use of StealthVector by this group was first documented by Trend Micro in August 2021. This loader is written in C / C++ and is used to deliver Cobalt Strike Beacon and other malware.

DodgeBox is considered an improved version of StealthVector, including techniques such as call stack spoofing, DLL Sideloading, and DLL Hollowing to evade detection. Methods of distributing this malware are still unknown.

Researchers report that APT41 uses the Sideloading DLL to execute DodgeBox, using a legitimate executable file (taskhost.exe) signed by Sandboxie to download the malicious library (sbiedll.dll). DodgeBox is a DLL loader written in C that decrypts and runs the second stage of loading — the MoonWalk backdoor.

The attribution of DodgeBox to APT41 is based on the program's similarity to StealthVector, the use of Sideloading DLLs, and the fact that DodgeBox samples were sent to VirusTotal from Thailand and Taiwan.

The researchers note that DodgeBox is a new malicious downloader that uses a variety of techniques to evade detection and offers various capabilities, including decrypting and loading embedded DLLs, checking the environment, and performing cleaning procedures.

As cybercriminals continue to develop their tools to circumvent existing defenses, organizations should pay more attention to monitoring and updating their security systems to counter these ever-evolving threats.

Source

 

[Carding Forum]

From London to Bangkok: APT41 Cyber Attack Map

Details of attacks on companies in several countries.

In collaboration with Google's Threat Intelligence Group (TAG), Mandiant identified a large-scale campaign by the APT41 group aimed at compromising organizations in various sectors. Among the affected companies were companies in the global logistics, media and entertainment, technology and automotive industries. Most of the attacked organizations were located in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.

The APT41 group was able to successfully penetrate the networks of many companies and maintain unauthorized access from 2023, which allowed attackers to extract confidential data for a long time.

APT41 used a combination of the ANTSWORD and BLUEBEAM web shells to execute the malicious DUSTPAN software that loaded BEACON for command-and-control communication. At later stages of the attack, the DUSTTRAP utility was used, which provides direct intervention of intruders into systems. SQLULDR2 was used for copying data from databases, and PINEGROVE was used for exfiltration to Microsoft OneDrive.

Recently, Mandiant identified the use of APT41 web shells ANTSWORD and BLUEBEAM on the Tomcat Apache Manager server, active from 2023. These wrappers allowed you to load DUSTPAN, which loaded and executed in BEACON memory.

In the next stage of the attack, APT41 used DUSTTRAP, which decrypted and executed malicious code, leaving minimal traces. This code established communication channels with the infrastructure controlled by APT41, or with compromised Google Workspace accounts, which allowed attackers to disguise their actions as legitimate traffic. All compromised Google Workspace accounts were successfully restored.

For data exfiltration, APT41 used SQLULDR2 to export data from Oracle and PINEGROVE databases to transfer large amounts of data to OneDrive.

Mandiant and Google TAG notified multiple organizations of the compromise. The attacks targeted companies from various sectors in Europe and Asia. Most of the logistics organizations targeted were located in Europe and the Middle East, while the media and entertainment sector was located in Asia.

Some logistics companies affected by the attacks operate on several continents and are affiliated with large multinational corporations.

APT41 is a Chinese cyber group known for both state-sponsored espionage operations and financially motivated attacks. The group specializes in stealing source codes, manipulating virtual currencies, and attempting to implement ransomware. APT41 is also known for using non-standard malware and sophisticated techniques, such as compromising the software supply chain and using stolen digital certificates.

The identified APT41 campaign demonstrates a high level of threat to global corporations. The methods and tools used indicate serious training and technical equipment of the group. Companies from various sectors, especially those operating in international markets, should be alert and take measures to protect their systems and data from such attacks.