Security researchers have recently linked numerous malware attacks to the China-based threat group APT41. According to the findings, the operations used COVID-themed phishing bait to target victims in India.
Tactics employed by the attacker
As an initial infection vector, the attackers are thought to have utilized phishing emails containing documents. The phishing email pretended to be COVID-19 advisories from the Indian government.
- When a user’s system is attacked via phishing bait, the threat hides network activity using its tailored profile.
- LNK files or ZIP archives are attached to the emails. Some of the phishing emails contained information about the latest income tax legislation aimed at residents who did not live in India.
Ascription
- One wave of breaches employed similar phishing lures and were linked to the Evilnum gang in September 2020. The indicators of compromise in the recent attack, on the other hand, point to a connection with the APT41 gang.
- A security researcher’s prior findings in March 2020 were expanded upon in the new study. APT41 carried out the campaign by exploiting numerous publicly available vulnerabilities.
- A Cobalt Strike Beacon loader was seen in that campaign using a C2 profile, which has since been seen in other missions.
- On March 29, a comparable C2 profile was published to GitHub. It was uploaded by a researcher using the alias ‘1135,’ who was looking for a new cluster of sites associated with APT41.
Experts believe that state-sponsored attackers have the resources to run various campaigns while avoiding detection. Furthermore, COVID-19 baits are still useful because the epidemic is not over. To withstand and combat such threat groupings, security teams must use pooled threat intelligence services as well as other communal resources.
To read more, please check eScan Blog
