China’s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox

Chinese government-backed cyber espionage gang APT41 has very likely added a loader dubbed DodgeBox and a backdoor named MoonWalk to its malware toolbox, according to cloud security service provider Zscaler’s ThreatLabz research team.

APT41 – also known as Barium, Wicked Panda, Wicked Spider and Earth Baku – has ties to the Chinese Ministry of State Security. In addition to digital espionage, the crew also conducts financially motivated crimes [PDF] on occasion. Google’s Mandiant security unit believes that’s how the gang funds its spying operations.

Over the years, the US government has charged APT41 members with breaking into computer networks belonging to more than 100 victims across the globe.

The tactics, techniques, and procedures (TTPs) that the Zscaler team observed in this campaign – including DLL sideloading – and the DodgeBox malware code’s similarity to StealthVector malware, led the threat hunters to attribute the intrusions with medium confidence to APT41.

In a technical analysis published on Wednesday, ThreatLabz researchers Yin Hong Chang and Sudeep Singh wrote that “analysis of the telemetry available in VirusTotal reveals that DodgeBox samples have been submitted from both Thailand and Taiwan.”

“This observation aligns with previous instances of APT41 employing StealthVector in campaigns primarily targeting users in the Southeast Asian (SEA) region,” they added.”

In April, Zscaler uncovered Dodgebox and opined that it closely resembles APT41’s StealthVector. Like StealthVector, DodgeBox is a shellcode loader written in C that can be configured with various features – including “decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures.”

DodgeBox, however, “incorporates significant improvements in its implementation” compared to StealthVector, Chang and Singh assert. Some of DodgeBox’s capabilities include encryption – it uses AES Cipher Feedback (AES-CFB) mode for encrypting its configuration. It also performs a series of environmental checks to ensure it has hit the correct target and has the right privileges to ensure maximum access to the victim’s system.

Plus, it takes a series of steps to evade detection, including call stack spoofing, and then executes cleanup procedures to remove itself from the victim’s system.

“What sets DodgeBox apart from other malware is its unique algorithms and techniques,” Chang and Singh wrote.

As part of the setup process, the malware resolves multiple APIs, we’re told. It also performs environment checks to ensure it has hit the correct target. “Notably, DodgeBox employs a salted FNV1a hash for DLL and function names,” the researchers observed.

This salted hash helps it evade static detections, and also allows different DodgeBox samples to use distinct values for the same DLL and function, the two explained. The malware then scans DLLs and checks to see if Windows Control Flow Guard (CFG) is enabled. This is a security feature that prevents memory corruption vulnerabilities in Windows applications – if it is enabled, the malware attempts to disable it.

Finally, it performs checks to verify that it is configured correctly, and running with system privileges. If those conditions aren’t met, the malware terminates.

Otherwise, assuming it’s still a go after these checks, DodgeBox enters the final phase and decrypts its payload: the MoonWalk backdoor, which it drops as a DAT file on the infected machine.

Zscaler promises to provide more detail on what the MoonWalk backdoor actually enables in the second part of its blog post, which is unpublished at time of writing. All it reveals in part one is that the backdoor “shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.” ®

READ MORE HERE