Threat ActorAPT41
Description
APT41 (also known as BARIUM, BRASS TYPHOON, WICKED PANDA) is attributed to The People's Republic of China. APT41's modus operandi is to perform cyber espionage, espionage and financial gain activities benefiting the nation state. APT41's toolkit has been observed using tools exclusive to China-based APT groups.
Sectors observed under attack were the video game industry - development studios, distributors, and publishers. Other verticals observed were attacks on the gambling sector. The group has targeted multiple countries and appears to be focused primarily on the United States; mostly gathering surveillance data and compromising its supply chains. In September of 2020, the United States Department of Justice brought charges against five Chinese nationals and two Malaysian nationals connected to APT41 for various computer-related crimes against more than 100 companies globally.
Known threat actors related to APT41 are:
APT 15
APT 17
APT 20
APT 40
Aliases
- TA415
- Wicked Panda
- Brass Typhoon
- Amoeba
- Blackfly
- Earth Freybug
- GroupCC
- APT41
- Earth Longzhi
- Winnti
- LEAD
- Red Kelpie
- Axiom
- Earth Baku
- BARIUM
- Double Dragon
- Bronze Atlas
- TG-2633
- HOODOO
- Wicked Spider
- Grayfly
- SparklingGoblin
- Fishmaster (TAG-22)
Common Vulnerabilities and Exposures
Targeted Industries
- Aerospace & Defense
- Automotive
- Delivery & Logistics
- Education
- Finance
- Government
- Healthcare Services
- Hospitality
- Manufacturing
- Media & Internet
- Pharmaceuticals
- Retail
- Software
- Telecommunications
- Transportation
Objectives
Cyber Espionage and Financial Gain
Known Tools Used
- ANTSword
- Araneida Scanner
- ASPXSpy
- BITSAdmin
- BlackCoffee
- BlueBeam
- certutil
- Checkout
- ChinaChop
- Cobalt Strike beacons
- ColdJava
- DeadEye
- DeepData
- Derusbi
- DragonEgg
- dsquery
- DustPan
- DustTrap
- Empire
- EvilNugget
- fscan
- FTP
- Gh0st RAT
- HighNoon
- HomeUnix
- ipconfig
- JumpAll
- KeyPlug
- Lifeboat
- LightSpy
- Lowkey
- MessageTap
- Mimikatz
- MoonBounce
- net
- netstat
- njRAT
- Photo
- Pillager
- PineGrove
- PlugX
- PotRoast
- PowerSploit
- pwdump
- ransomware
- RawCopy
- RockBoot
- ShadowPad
- SOGU
- sqlmap
- SQLULDR2
- SweetCandle
- TOUGHPROGRESS
- Winnti for Linux
- WyrmSpy
- ZxShell
Known Infection Vectors
- CVE-2019-1652 (Cisco RV320 and RV325 Remote Command Injection Vulnerability)
- CVE-2019-1653 (Cisco RV320 and RV325 Remote Command Injection Vulnerability)
- CVE-2019-19781 (Citrix ADC and Gateway Remote Code Execution Vulnerability)
- CVE-2020-10189 (Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability)
- CVE-2021-44207 (USAHERDS Hard-coded Credentials Vulnerability)
- CVE-2021-44228 (Apache Log4j2 Remote Code Execution Vulnerability (Log4Shell))
- CVE-2024-23108 (FortiSIEM API element Command Injection Vulnerability)
- CVE-2024-23109 (FortiSIEM Remote Unauthenticated OS Command Injection Vulnerability)
- Spear Phishing
- SQL Injection
- Supply chain attacks
- Various exploits
- including zero-day
- Watering Holes
References
APT 41 (MITRE)
https://attack.mitre.org/groups/G0096/
Double Dragon (Wikipedia)
https://en.wikipedia.org/wiki/Double_Dragon_(hacking_group)
APT 41 Group (FBI)
https://www.fbi.gov/wanted/cyber/apt-41-group
APT41 (Health Sector Cybersecurity Coordination Center)
https://www.hhs.gov/sites/default/files/apt41.pdf
APT41 and Recent Activity (Health Sector Cybersecurity Coordination Center)
https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf
HC3: Threat Profile, Report: 202308161700 (Health Sector Cybersecurity Coordination Center)
https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf
