Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

APT41’s PowerShell Backdoor Let Hackers Download & Upload Files From Windows

Researchers from Threatmon uncovered a targetted PowerShell backdoor malware attack from APT41 that bypasses the detections and allows threat actors to execute commands, download and upload files, and gather sensitive information from compromised Windows systems.

Since 2012, the Chinese cyber espionage group APT41 (aka Wicked Panda) has used advanced tactics, techniques, and procedures (TTPs). They use custom-built malware and tools such as a PowerShell backdoor in their malicious arsenal.

Microsoft Windows comprises the built-in scripting language PowerShell, and it can manage the system configurations and automate administrative tasks.

“By exploiting this functionality, APT41’s PowerShell backdoor circumvents conventional security measures, enabling it to infiltrate target systems, Alp Cihangir ASLAN from Threat Intelligence Firm, ThreatMon Reported to Cyber Security News.

https://twitter.com/MonThreat/status/1650779912209412096?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1650779912209412096%7Ctwgr%5E36bfd7fd162b5abf926ff24394fcaa91cee29e36%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcybersecuritynews.com%2Fapt41s-powershell-backdoor%2F

“The group is also known for using a wide range of sophisticated tools and techniques, including custom malware, supply
chain attacks, and the exploitation of vulnerabilities in software and hardware.”

PowerShell Backdoor

APT41’s PowerShell backdoor is crafted to operate covertly and maintain its presence over extended periods, frequently featuring as a secondary payload in targeted assault scenarios.

Following installation, the backdoor empowers APT41 to perform the following illicit activities on the compromised systems:-

  • Execute commands
  • Download files
  • Upload files
  • Extract confidential data

The sophisticated APT41’s PowerShell backdoor underscores the importance of robust security measures for organizations to counter advanced threats.

Technical analysis

APT41’s notorious track record of high-profile cyber attacks like the 2017 Equifax data breach shows its sophistication and abilities.

To evade detection and prevent reinfection, the malware employs a clever tactic by creating a mutex named ‘v653Bmua-53JCY7Vq-tgSAaiwC-SSq3D4b6’ before execution.

However, the termination with a return value of 1 occurs if mutex creation is unsuccessful.

The malware initiates its execution process by systematically placing its payloads in the Windows Registry. The first payload is implemented using a LOLBin called “forfiles.exe.” 

All these “living-off-the-land-binaries” or Lolbins are genuine system tools that threat actors abuse to perform several illicit activities.

The Forfiles tool, primarily used for searching, can also execute commands, making it a target for AV bypass using LOLBins

A command is automatically executed during system login via the HKCU\Environment\UserInitMprLogonScript key for persistence.

Then under “HKEY_CLASSES_ROOT\abcdfile\shell\open\command\abcd” the obfuscated PowerShell payload is composed by using another LOLBin:-

  • SyncAppPublishingServer.vbs

The final payload is an unconventional PowerShell backdoor capable of infecting removable devices and utilizing Telegram as a C2 server.

Now, the backdoor transmits system information and IP address to the C2 server by leveraging ip-API.

Cybersecurity analysts at ThreatMon urged proactive security practices are necessary for organizations to stay ahead of evolving malicious tactics.

Advertisement. Scroll to continue reading.

Indicators Of Compromise (IOC)

  • SHA-256 HASH: bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8
  • db533cf4428
  • SHA-256 HASH: d71f6fbc9dea34687080a2e12bf326966f6841d51294bd665261e0
  • 7281459eeb
  • URL: hXXps://raw.githubusercontent[.]com/efimovah/abcd/main/xxx.gif
  • URL: hXXp://ip-api[.]com/json

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/apt41s-powershell-backdoor/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO