"China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload"

An investigation into the activities of China-backed Advanced Persistent Threat (APT) actor APT41, also known as Winnti, Wicked Panda, Barium, and Blackfly, has revealed that the group employs a unique method for deploying its main Cobalt Strike payload on victim systems. Group-IB researchers discovered that the adversary conducts reconnaissance using various dual-use tools. Group-IB has identified at least 13 major organizations worldwide that have been compromised in four separate campaigns, with the APT gaining differing degrees of access. Victims included government, healthcare, manufacturing, logistics, hospitality, and media organizations in the US, China, India, Taiwan, and Vietnam. The security vendor concluded that the actual number of APT41 victims could be much higher, based on evidence of APT-related activity at 80 private and government organizations in 2021, among other things. One aspect of the examined campaigns was APT41's tendency to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then saved as text files. To write the entire payload to the file, the threat actors had to repeat the action 154 times in one case. In another case, Group-IB researchers observed the threat actor breaking up the code into 1,024-character chunks before writing the payload to a text file in 128 iterations. According to Nikita Rostovcev, an analyst with Group-IB's research team, it is unclear why APT41 might have adopted the strategy, but it could be an attempt to stay undetected. They add that detecting the ruse is not difficult, especially since the payload was encoded in Base64 at the end. This article continues to discuss recent findings surrounding APT41's tactics.

Dark Reading reports "China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload"