Hacker Group APT41 on Months-Long Quest Breaching the U.S. State Government Networks

Hacker Group APT41

The APT41 actors compromised six and counting U.S. state government networks starting May last year. APT41 conducted numerous exploits of public-facing web applications, including using notorious zero-day in Log4j, and leveraging a CVE-2021-44207 in USAHERDS web application, which is used in 18 states to monitor and report on animal health. Recent attacks are characterized by adversaries utilizing post-compromise tools like a downloader DeadEye that’s responsible for launching the LOWKEY backdoor.

Detecting Hacker Group APT41’s Activities

To ensure your organization is not on the list of APT41’s victims, use the following rules to detect suspicious commands of the APT41 group by modifying existing scheduled tasks that run under the context of SYSTEM:

APT-41’s DEADEYE Dropper Persistent Creations (via Cmdline)

Suspicious APT41 Execution by Modified Scheduled Task (via process creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Scheduled Task/Job (T1053) as the primary technique.

The rules are provided by our keen Threat Bounty developers Kyaw Pyiyt Htet and Nattatorn Chuensangarun, keeping a close eye on emerging threats.

Adepts at cybersecurity are more than welcome to join the Threat Bounty program to tap into the power of the community and get rewarded for their threat detection content.

View Detections Join Threat Bounty

APT41’s U.S. Government Intrusions

APT41 is a notorious Chinese state-sponsored hacking group. The threat actor is also known as TA415, Double Dragon, Barium, GREF, Wicked Spider and Wicked Panda.

According to recent evidence, APT41 has breached at least six U.S. state government systems since 2021, and there are no signs of this months-long hacking campaign arriving at a cease-fire in the foreseeable future. Mandiant’ investigations revealed that APT41 actors have been actively targeting high-profile victims in 2021-22, mostly concentrating on U.S. government intrusions. APT41 deployed a number of novel approaches, evasive strategies, and capabilities, according to the report above. 

After gaining access to a network through a SQL injection vulnerability in a compromised application, adversaries breach the network using a brand new zero-day exploit. Once they are in the victim’s network, APT41 actors perform reconnaissance and credential harvesting activities. The gang also customized its malware to the surroundings of its victims, regularly updating the encoded data on a specific forum post, allowing the malware to get instructions from the attackers’ command and control server. To inhibit reverse engineering attempts, the APT enhanced the malware they use with VMProtect, also integrating another anti-analysis method by pairing a VMProtect packaged DeadEye into numerous disk sections.

In this day and age, threat prevention & detection is paramount. Continuous and growing pressure from state-sponsored threat actors from China and Russia on state-level networks asks for efficient measures to counter the adversaries. Sign up for free at SOC Prime’s Detection as Code platform to make threat detection easier, faster, and more efficient with industry’s best practices and shared expertise. The platform also enables SOC professionals to share detection content, take part in top-tier industry initiatives, and monetize their valuable input.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts