Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk
Summary:
China-linked APT41 is suspected of using an advanced version of StealthVector malware, dubbed DodgeBox, to deliver a new backdoor named MoonWalk. Zscaler ThreatLabz discovered DodgeBox, also known as DUSTPAN, in April 2024. Researchers Yin Hong Chang and Sudeep Singh explained that DodgeBox loads MoonWalk, which shares DodgeBox's evasion techniques and uses Google Drive for command-and-control communication.
DodgeBox is an evolved form of StealthVector, first documented by Trend Micro in August 2021. StealthVector, a shellcode loader written in C/C++, was initially used to deliver Cobalt Strike Beacon and a shellcode implant named ScrambleCross (aka SideWalk). DodgeBox enhances StealthVector by incorporating advanced techniques like call stack spoofing, DLL side-loading, and DLL hollowing to evade detection. However, the exact method by which the malware is distributed remains unknown.
APT41 uses DLL side-loading to execute DodgeBox, utilizing a legitimate executable signed by Sandboxie to sideload a malicious DLL. The rogue DLL, written in C, decrypts and launches the MoonWalk backdoor. MoonWalk employs various evasion techniques found in DodgeBox and uses Google Drive for C2 communication. DodgeBox evades both static and behavioral detection by decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures. The attribution of DodgeBox to APT41 stems from its similarities to StealthVector, the use of DLL side-loading, a common technique among China-nexus groups, and the submission of DodgeBox samples from Thailand and Taiwan.
Security Officer Comments:
APT41, active since at least 2007, is known by various names including Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti. It is a prolific state-sponsored threat actor affiliated with China. In September 2020, the U.S. Department of Justice indicted several APT41 members for orchestrating intrusion campaigns targeting over 100 companies globally. These intrusions facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information, and enabled other criminal schemes like ransomware and crypto-jacking.
APT41 continues to evolve its malware capabilities with the development of DodgeBox, an advanced loader designed to deliver the MoonWalk backdoor. This sophisticated malware employs multiple techniques to evade detection and highlights the ongoing threat posed by APT41 to organizations worldwide.
Suggested Corrections:
IOCs:
https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
- Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html