Kaspersky: APT41 targets Southern African organization in espionage attack

Based on retrospective threat hunting analysis, Kaspersky experts concluded that the attackers may have gained access to the organization’s network through a web server exposed to the internet. Using a credential harvesting technique – known in professional terms as registry dumping – the attackers obtained two corporate domain accounts: one with local administrator rights on all workstations and another belonging to a backup solution, which had domain administrator privileges. These accounts allowed the attackers to compromise additional systems within the organization.

The adversaries’ TTPs (techniques, tactics and procedures) and C2 observed during the attack allowed Kaspersky to attribute it to the Chinese-speaking APT41^[1] group with a high confidence. It is noteworthy that APT41 typically has been showing quite limited activity in the Southern African region. The primary goal of the attack was cyber espionage, which is typical for this actor. The attackers attempted to collect sensitive data from the machines they compromised within the organization’s network.

One of the stealers used for data collection was a modified Pillager utility, designed for exporting and decrypting data. The attackers compiled its code from an executable file into a Dynamic Link Library (DLL). With it, they aimed to gather saved credentials from browsers, databases, administrative tools, as well as project source code, screenshots, active chat sessions and their data, email correspondence, lists of installed software, operating system credentials, Wi-Fi credentials, and other information.

The second stealer used during the attack was Checkout. In addition to saved credentials and browser history, it was also capable of collecting information on downloaded files and browser-stored credit card data. The attackers also used the RawCopy utility and a version of Mimikatz compiled as a Dynamic Link Library (DLL) to dump registry files and credentials, as well as Cobalt Strike for C2 communication on compromised hosts.

“Interestingly, as one of their C2 communication channels besides Cobalt Strike, the attackers chose the SharePoint server within the victim's infrastructure. They communicated with it using custom C2 agents connected with a web-shell. They may have chosen SharePoint because it was an internal service already present in the infrastructure and unlikely to raise suspicion. Moreover, in that case, it probably offered the most convenient way to exfiltrate data and control compromised hosts through a legitimate communication channel”, explains Denis Kulik, Lead SOC Analyst at Kaspersky Managed Detection and Response service. “In general, defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure. It is essential to maintain full security coverage across all systems with solutions capable of automatically blocking malicious activity at an early stage — and to avoid granting user accounts excessive privileges.”

In general, APT41 specializes in cyber espionage and targets organizations across various industries, including telecommunications providers, educational and healthcare institutions, IT, energy, and other sectors, with known activity in at least 42 countries. A detailed analysis of the incident is available on Securelist. To mitigate or prevent similar attacks, organizations are advised to follow these best practices:

• Ensure that security agents are deployed on all workstations within the organization without exception, to enable timely incident detection and minimize potential damage.
  
• Review and control service and user account privileges, avoiding excessive rights assignments – especially for accounts used across multiple hosts within the infrastructure.
  
• To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
  
• Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation.  They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
  
• Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
  

Kaspersky Managed Detection and Response service monitors suspicious activity and helps organizations respond swiftly to minimize impact. This is a part of Kaspersky Security Services, a team delivering hundreds of information security projects every year for Fortune Global 500 organizations: incident response, managed detection, SOC consulting, red teaming, penetration testing, application security, digital risks protection. 

[1]APT (Advanced Persistent Threat)  is a category of threat actors known for carrying out concerted, stealthy, and ongoing attacks against specific organizations, as opposed to opportunistic, isolated incidents that account for most cybercriminal activity.