BlackBerry research team revealed that the group, which was identified as APT41, has been carrying out seemingly disparate malware campaigns designed to steal sensitive information from Indian users. Attackers took advantage of COVID-themed phishing lures.
The campaign was designed to lure victims of the pandemic, exploiting the public’s hopes for a quick cure. The documents, which were likely used by hackers as an initial infection vector, allegedly contained information about the latest government advisories regarding the taxation of non-resident Indians.
“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” the BlackBerry Research and Intelligence team said in a report. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”
APT41 (Barium or Winnti) is a pseudonym used by a Chinese cyber threat group that engages in state-sponsored espionage. It has been known to conduct operations since 2012.
Mandiant (formerly FireEye) at the time said that APT41 (whom it calls Double Dragon) was focused on penetrating various sectors such as healthcare, telecommunications, and high-tech to perform theft of intellectual property.
Besides that, the group is known for carrying out various cybercrimes, such as spreading viruses, phishing, and manipulating virtual currencies. They also carry out various software supply chain compromises.
The latest findings by BlackBerry build on the details of Mandiant’s report released in March 2020 and detailed a global attack campaign by the APT41 group. The attackers exploited several known security issues in Cisco and Citrix devices to drop next-stage payloads that were then used to download Cobalt Strike.
BlackBerry found a similar C2 profile uploaded to GitHub on March 29 and identified a fresh cluster of domains related to APT41. The campaign attempted to disguise Beacon traffic as legitimate traffic from Microsoft sites. The IP addresses and domain names found in campaigns were linked to the Higaisa and Winnti APTs.
After further investigation, it was revealed that the malicious PDF files linked to the domain that previously hosted Cobalt Strike Team Server.
“With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the researchers said, adding by piecing together the malicious activities of the threat actor via public sharing of information, it’s possible to “uncover the tracks that the cybercriminals involved worked so hard to hide.”