China's hacking groups APT41, APT27 target Chinese state-sponsored

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

A China state-sponsored threat group known as APT41 is observed compromising at least six U.S. state governments networks in a threat campaign beginning from May 2021. APT41 is a well-known Chinese state-sponsored espionage outfit that targets companies in both the public and commercial sectors and engages in financially motivated behavior for personal benefit.

The threat group exploited two zero-day vulnerabilities, including one in the USAHerds program (CVE-2021-44207) and the now-famous zero-day in Log4j (CVE-2021-44228). After exploiting Log4Shell the actor deployed a new iteration of a modular C++ backdoor known as KEYPLUG on Linux systems. During the attacks, an in-memory dropper dubbed StealthVector was also spotted, which is coordinated to execute the next-stage payload, as well as sophisticated post-compromise tools like DEADEYE. During the espionage operation, adversaries stole personally identifying information from the organizations compromised.

The Mitre TTPs commonly used by APT41 are::

TA0001: Initial Access
TA0007: Discovery
TA0040: Impact
TA0009: Collection
TA0005: Defense Evasion
TA0003: Persistence
TA0011: Command and Control
TA0042: Resource Development
TA0002: Execution
TA0008: Lateral Movement
TA0006: Credential Access
TA0029: Privilege Escalation
T1071.001: Application Layer Protocol: Web Protocols
T1071.002: Application Layer Protocol: File Transfer Protocols
T1071.004: Application Layer Protocol: DNS
T1560.001: Archive Collected Data: Archive via Utility
T1197: BITS Jobs
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1110.002: Brute Force: Password Cracking
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.004: Command and Scripting Interpreter: Unix Shell
T1136.001: Create Account: Local Account
T1543.003: Create or Modify System Process: Windows Service
T1486: Data Encrypted for Impact
T1005: Data from Local System
T1568.002: Dynamic Resolution: Domain Generation Algorithms
T1546.008: Event Triggered Execution: Accessibility Features
T1480.001: Execution Guardrails: Environmental Keying
T1190: Exploit Public-Facing Application
T1203: Exploitation for Client Execution
T1133: External Remote Services
T1083: File and Directory Discovery
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1574.002: Hijack Execution Flow: DLL Side-Loading
T1574.006: Hijack Execution Flow: Dynamic Linker Hijacking
T1070.001: Indicator Removal on Host: Clear Windows Event Logs
T1070.003: Indicator Removal on Host: Clear Command History
T1070.004: Indicator Removal on Host: File Deletion
T1105: Ingress Tool Transfer
T1056.001: Input Capture: Keylogging
T1036.004: Masquerading: Masquerade Task or Service
T1036.005: Masquerading: Match Legitimate Name or Location
T1112: Modify Registry
T1104: Multi-Stage Channels
T1046: Network Service Scanning
T1135: Network Share Discovery
T1027: Obfuscated Files or Information
T1588.002: Obtain Capabilities: Tool
T1003.001: OS Credential Dumping: LSASS Memory
T1566.001: Phishing: Spearphishing Attachment
T1542.003: Pre-OS Boot: Bootkit
T1055: Process Injection
T1090: Proxy
T1021.001: Remote Services: Remote Desktop Protocol
T1021.002: Remote Services: SMB/Windows Admin Shares
T1496: Resource Hijacking
T1014: Rootkit
T1053.005: Scheduled Task/Job: Scheduled Task
T1218.001: Signed Binary Proxy Execution: Compiled HTML File
T1218.011: Signed Binary Proxy Execution: Rundll32
T1553.002: Subvert Trust Controls: Code Signing
T1195.002: Supply Chain Compromise: Compromise Software Supply Chain
T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
T1033: System Owner/User Discovery
T1569.002: System Services: Service Execution
T1078: Valid Accounts
T1102.001: Web Service: Dead Drop Resolver
T1047: Windows Management Instrumentation