A recent report highlights the cyber espionage group APT41, tied to a series of malware campaigns that leverage COVID-themed phishing strategies to target individuals in India. This revelation comes from an analysis by the BlackBerry Research and Intelligence team, which has connected various aspects of the group’s operational infrastructure.
According to BlackBerry, the group employs state-sponsored deception tactics, exploiting public sentiment regarding the pandemic to ensnare victims. “The campaign lures victims by appealing to their desire for a swift return to normalcy,” the report states, noting that once infiltrated, the malware effectively conceals its network activity by using a custom profile.
APT41, also referred to as Barium or Winnti, has been in operation since at least 2012 and is notable for its dual missions: state-sponsored espionage and financially motivated cybercrime. The group targets multiple sectors, including healthcare and telecommunications, and has gained notoriety for its sustained access strategies and intellectual property theft. Mandiant, a cybersecurity firm, has dubbed this group “Double Dragon,” highlighting its dual motivations and extensive reach.
The BlackBerry findings build on previous research by Mandiant, which in March 2020 outlined a global intrusion campaign orchestrated by APT41 that exploited publicly available vulnerabilities in devices like those from Cisco and Citrix. This earlier campaign facilitated the deployment of a Cobalt Strike Beacon, known for effectively blending malicious network communications with legitimate traffic.
In its latest examination, BlackBerry discovered that a C2 profile linked to APT41 appeared on GitHub, used by a Chinese security researcher. This discovery points to a new cluster of domains that were actively screening traffic to mimic Microsoft communications. Such sophistication indicates potential overlaps in tactics with those seen in campaigns associated with the Higaisa APT group and Winnti.
Further analysis revealed malicious PDF files tied to this infrastructure, purportedly masquerading as government advisories or information on tax legislation for non-resident Indians. These documents are believed to be used in phishing attacks as initial vectors of compromise.
The phishing tactics employed by APT41 involved using .LNK files or .ZIP archives, which, when accessed, displayed the malicious PDF while executing a Cobalt Strike Beacon in the background. Though prior incidents involving similar tactics were attributed to the Evilnum group, BlackBerry asserts that the indicators of compromise here align more closely with APT41’s methodologies.
The research underscores the capabilities of a nation-state-level threat actor to create intricate networks, exhibiting a remarkable diversity in operational tactics. By aggregating publicly available intelligence, researchers emphasize the opportunity to unveil the hidden activities of these cybercriminals, a feat that often demands substantial resources and expertise.
