Chinese APT41 Enhances Malware Arsenal with DodgeBox and MoonWalk
An “advanced and updated version” of the well-known malware StealthVector is suspected to be utilized by the China-linked APT41 APT group to introduce a previously undocumented backdoor named MoonWalk.
The enhanced iteration of StealthVector, also known as DUSTPAN, has been dubbed DodgeBox by Zscaler ThreatLabz, who came across the loader strain in April 2024.
Security researchers Yin Hong Chang and Sudeep Singh stated, “DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk. MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.”
Known by the aliases Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti, APT41 is a high-profile state-sponsored threat actor affiliated with China that has been active since at least 2007.
In September 2020, multiple threat actors linked with the hacking crew were indicted by the U.S. Department of Justice (DoJ) for orchestrating intrusion campaigns targeting over 100 companies worldwide.
The DoJ revealed that the intrusions led to the theft of source code, software code signing certificates, customer account data, and valuable business information, enabling various criminal schemes such as ransomware and ‘crypto-jacking’.
APT41 has been associated with breaches of U.S. state government networks between May 2021 and February 2022, as well as attacks on Taiwanese media organizations using an open-source red teaming tool known as Google Command and Control (GC2).
The involvement of APT41 with StealthVector was initially documented by Trend Micro in August 2021, characterizing it as a shellcode loader written in C/C++ employed to deliver Cobalt Strike Beacon and a shellcode implant known as ScrambleCross (aka SideWalk).
DodgeBox is believed to be an enhanced version of StealthVector, integrating techniques such as call stack spoofing, DLL side-loading, and DLL hollowing to avoid detection. The distribution method of the malware remains unknown.
“APT41 utilizes DLL side-loading to execute DodgeBox,” noted the researchers. “They take advantage of a legitimate executable (taskhost.exe), signed by Sandboxie, to sideload a malicious DLL (sbiedll.dll).”
The rogue DLL (DodgeBox) functions as a conduit in C to decrypt and launch a secondary payload, the MoonWalk backdoor.
The association of DodgeBox with APT41 is drawn from the resemblances between DodgeBox and StealthVector, the usage of DLL side-loading – a commonly employed technique by China-affiliated groups to deliver malware like PlugX – and the fact that DodgeBox samples have been submitted to VirusTotal from Thailand and Taiwan.
“DodgeBox is a newly identified loader malware that incorporates multiple techniques for evading both static and behavioral detection,” outlined the researchers.
“It offers a range of functionalities, including the decryption and loading of embedded DLLs, performing environment checks and bindings, and executing cleanup operations.”
About Author
