APT-41 Details

China Based - APT 41 Group

Aliases: Wicked Spider, Wicked Panda, Barium, Winnti Group, Axiom, Blackfly

This group has hacked over 100 organizations. Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang have all been indicted by the US Department of Justice, but are still at large. The hackers worked at Chengdu 404 Network Technology Company as White Hat Hackers.

APT-41's most popular entry points have been malware hidden inside fake resumes and supply chain hacks.

Examples of the supply chain hacks are CCleaner and ASUS LiveUpdate software update process.

APT-41 has also used the vulnerabilities in Citrix and Pulse VPNs to gain a foothold into their targets.

List of exploits used (per justice.gov press release)

• CVE-2019-19781: Vulnerability in Citrix Application Delivery Controller, Citrix Gatewy, and Citrix SD-WAN WANOP appliae
• CVE-2019-11510: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 - arbitrary file reading vulnerability
• CVE-2019-16920: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface thatould lead to common injection
• CVE-2019-16278: Directry Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request
• CVE-2019-1652,CVE-2019-1653: vulerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers ould allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
• CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class.

APT-41 malicious payloads used

• ShadowPad - Backdoor
• PipeMon - Backdoor
• Winnti - Backdoor
• PortReuse - Backdoor
• AceHash - Credentials Harvester

This group monetized their hacking by hitting their targets with ransomware, stealing in-game currencies and assets, and mining cryptocurrencies. Two Malaysian nationals, Wong Ong Hua and Ling Yang Ching, were charged with assisting the hackers. The two worked for Sea Gamer Mall. A website that specializes in game cards and game currencies. According to the Sea Gamer Mall twitter account. The two have been placed on temporary leave. https://twitter.com/SEAGM/status/1306490419161620480 Sources:

• https://scmagazine.com/home/security-news/gaming/major-software-vendor-compromised-with-previously-undocumented-portreuse-backdoor/
• https://krebsonsecurity.com/220/09/chinese-antivirus-firm-was-part-of-apt41-supply-chain-attack/
• htps://www.fbi.gov/wanted/cyber/apt-41-group
• https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer