A notorious Chinese-language nation-state actor, also referred to as “Brass Storm,” “Earth Baku,” “Depraved Panda,” or “Winnti,” has been linked to a sophisticated cyber attack targeting the gaming and esports industry.
“In a stealthy operation spanning at least six months, attackers secretly gathered valuable intel from the targeted company, including but not limited to community configurations, user passwords, and secrets from the LSASS process,” Ido Naor, co-founder and CEO of Israeli cybersecurity firm Safety Joes, said in an interview with The Hacker News.
As the breach unfolded, the attackers adapted their tactics in real-time, exploiting each countermeasure implemented by the security team. As they closely monitored the defenders’ tactics, the attackers adapted their techniques and tools to evade detection and maintain continuous access to the breached network.
The multi-stage attack, which targeted a specific customer and persisted for nearly nine months this year, exhibits striking similarities to an intrusion set monitored by cybersecurity firm Sophos under the alias “Taidoor”.
Following a four-month delay, Naor noted that the corporation initially addressed the incident, citing the need for a “state-sponsored” resolution, implying government involvement. It appears that this time we suspect that APT41 was motivated by a desire for financial gain with unwavering certainty.
The campaign’s design incorporates stealth tactics, employing a comprehensive toolkit that not only circumvents security measures installed in the environment, but also collects valuable data and establishes clandestine communication pathways for sustained remote access.
As a highly sophisticated and methodical threat actor, APT41 has garnered attention from cybersecurity experts at Safety Joes, who caution that this group is capable of launching not only espionage attacks but also compromising supply chains, ultimately leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.
Although the exact initial attack vector remains unclear, available evidence suggests that spear-phishing emails may have been used, as there is no indication of an exploitable vulnerability in exposed web applications or a supply chain compromise.
“When housed within the compromised infrastructure, the attackers launched a DCSync attack, targeting password hashes for service and administrative accounts to expand their foothold,” the company stated in its report. “With their impressive background, they successfully sustained a strong presence within the community, prioritizing administration and developer connections.”
Attackers typically employ a meticulous approach to conduct reconnaissance and post-exploitation activities, frequently adapting their toolkit in response to countermeasures implemented to mitigate risks and subsequently escalating privileges to ultimately download and execute additional payloads.
Some individuals who previously appreciated their objectives successfully employed the reliable wmic.exe utility to execute scripts without pointing out the abuse of their entry to service accounts with administrator privileges.
A subsequent stage involves downloading and executing a malicious DLL file, identified as TSVIPSrv.dll, via the Server Message Block (SMB) protocol; upon execution, the payload connects to a hardcoded Command and Control (C2) server.
“If the hardcoded C2 fails, the implant makes an attempt to replace its C2 info by scraping GitHub customers utilizing the next URL: github[.]com/search?o=desc&q=pointers&s=joined&kind=Customers&.”
The malware scrutinizes HTML responses from GitHub queries, seeking out distinctive patterns of capitalized words interspersed with whitespace. The code extracts the capital letters between A and P from a collection of eight phrases. The course generates an 8-character string, encoding the IP address of a new command and control (C2) server to be utilized in an attack.
The initial connection to the compromised C2 server establishes a foundation for characterizing the infected system, allowing for the retrieval of additional malicious code via a secure socket-based interface.
The safety professionals at Joes noted that threat actors remained quiet for several weeks after their initial actions were detected, only to resurface with a reinvigorated approach employing obfuscated JavaScript code within a modified XSL file (“texttable.xsl”) leveraging the LOLBIN tool wmic.exe.
As soon as the WMIC.exe MEMORYCHIP GET command is executed, a discrepancy arises: instead of immediately loading the texttable.xsl file to format the output, the system forces the execution of malicious JavaScript code injected by the attacker, according to researchers.
The JavaScript code operates as a downloader, leveraging time.qnapntp[.]com as a command-and-control (C2) server to retrieve subsequent payloads that fingerprint targeted machines and send collected data back to the server, subject to filtering criteria that appears designed to focus on machines of interest to the threat actor.
“The study’s findings are particularly striking due to the intentional focus on machines with IP addresses featuring the ‘10.20.22’ substring, as noted by the researchers.” “
This analysis identifies valuable devices for the attacker, specifically those situated within the IP ranges 10.20.22.0 to 10.20.22.255. By analyzing this data in conjunction with community logs and the IP addresses linked to the devices where the file was found, we determined that the attacker employed this filtering method to guarantee that only devices within the VPN subnet were impacted.
