APT41 Spinoff Expands Chinese Actor's Scope Beyond Asia

A China-backed threat group that's best known for targeting organizations in Asia with cyber espionage campaigns is furthering its reach into new geographies, including Europe, the Middle East and Africa (EMEA), with attacks that leverage new malware and living-off-the-land (LotL) techniques to broaden its footprint.

Earth Baku, yet another spinoff group associated with the highly prolific APT41, has recently been targeting organizations in Italy, Germany, the United Arab Emirates (UAE), and Qatar, and has been using command-and-control (C2) infrastructure based in Georgia and Romania, according to researchers at Trend Micro.

The regional shift represents a recent change of strategy for the APT41 advanced persistent threat actor, actively tracked since at least 2012 and which typically targets the Asia-Pacific region, according to a recent blog post by Trend Micro researchers Ted Lee and Theo Chen. Indeed, Mandiant also recently observed APT41 engaged in a sustained cyber espionage campaign against organizations in multiple sectors across the UK and countries in Europe in addition to Taiwan, one of the main countries in which it typically operates.

Other recent attacks in new regions also see the actor diversifying its malware and tactics with the use of public-facing applications such as IIS servers for initial access, and the deployment of the Godzilla webshell for persistence and command-and-control (C2), according to Trend Micro. Other loaders such as StealthVector and StealthReacher used in the campaign to deliver APT41's latest modular backdoor, SneakCross, demonstrate that Earth Baku is bolstering its capabilities to evade detection, the researchers noted.

Earth Baku also has been wielding several new post-exploitation tools that demonstrate the group comboing up both custom and publicly available tools — including the Rakshasa hardware backdoor, TailScale for persistence, and MEGAcmd for efficient data exfiltration — so the group can move larger volumes of stolen data more efficiently, the researchers observed.

What all of this means is that not only does APT41 have yet another subgroup doing its dirty work, but it also has an "evolving and increasingly sophisticated threat profile, which can potentially pose significant challenges for cybersecurity defenses," they noted in the post.

Evolving APT41 Tools & Tactics

APT41 in an umbrella descriptor for a dangerous collective of Chinese threat groups — variously referred to as Winnti, Wicked Panda, Barium, and Suckfly — that have stolen trade secrets, intellectual property, healthcare-related data, and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. Four years ago, the US government indicted five members of APT41 for activities related to attacks on more than 100 companies worldwide. Still the group remains highly active, thanks in part to spinoffs like Earth Baku that keep its activity fresh with new tools and tactics.

Trend Micro tracked Earth Baku through a spate of recent attacks in EMEA that glean insight into new tactics and tools, including StealthVector. The malware is a customized backdoor loader the group is using to launch further binaries in stealth mode; it's also an update to one that was previously discovered in 2021, the researchers noted.

"Although it has changed little in terms of configuration structure, it now uses AES as its encryption algorithm instead of customized ChaCha20," they wrote. "In some variants, we also observed a code virtualizer being used for code obfuscation, making the malware more difficult to analyze. It also inherited other defense evasion techniques to make sure the backdoor components were executed stealthily."

Trend Micro also uncovered another malware, SneakCross, which is a modular backdoor that uses Google services for its C2 communication and Windows Fibers to evade detection from network-protection products and endpoint detection and response (EDR) solutions. The malware is likely a successor to APT41's previous modular backdoor, ScrambleCross; modularity allows the attacker "to easily update its capabilities, modify its behavior, and customize functionality for different scenarios," the researchers wrote.

Also notable about the latest Earth Baku attacks are post-exploitation activities that deploy a series of further tools to maintain persistence, scale privileges, and allow for discovery and exfiltration of data.

Protecting Environments From Sophisticated APTs

As APT41 continues to fortify its tools and tactics for more sophistication and agility, Trend Micro recommends that organizations shore up their defenses as well, using the principle of least privilege to restrict access to sensitive data and closely monitor user permissions. This will make it more challenging for attackers to move laterally within a corporate network, the researchers noted.

Defenders also should regularly update systems and applications, and enforce strict patch-management policies to address security gaps within their systems, as well as develop defensive measures to identify and mitigate threats in the event of a breach.

Further, by adopting what's called a "3-2-1 backup rule" and maintaining at least three copies of corporate data in two different formats — including an air-gapped copy stored off-site — organizations can ensure that data remains intact even in the event of a successful attack, the researchers said.