One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8539580 |
| Date de publication | 2024-07-18 14:00:00 (vue: 2024-07-18 14:06:52) |
| Titre | Apt41 est né de la poussière APT41 Has Arisen From the DUST |
| Texte | Written by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore
Executive Summary In collaboration with Google\'s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since 2023, enabling them to extract sensitive data over an extended period. APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive. Overview Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON. As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access. Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #org $anchor* $anchor1 $anchor2 $anchor3 $anchor4 $anchor5 $cfg $elf $f* $f1 $f10 $f11 $f12 $f13 $f14 $f15 $f16 $f17 $f18 $f19 $f2 $f20 $f21 $f22 $f23 $f24 $f25 $f26 $f27 $f28 $f29 $f3 $f30 $f31 $f32 $f4 $f5 $f6 $f7 $f8 $f9 $heading $import $key $log $name $org $out $p* $p1 $p2 $p3 $p4 $p5 $p6 $p7 $s* $s1 $s2 $s3 $s4 $s5 $s6 $s7 $s8 $s9 $serial $version $win /me/drive/root 001 002 003 004 005 00:00:00 013 05:fa:8a:72:da:46:07:4f:de:1e:34:c7:46:61:ee:00 0a:2c:bf:9b:18:fe:1b:20:b9:4e:ca:c4:b0:78:b8:c1 0e74285f3359393e57f5d49c156aca47 0x00004550 0x100 0x1000 0x3c 0x464c457f 0x5a4d 0xbebafeca 0xcafebabe 0xcefaedfe 0xcffaedfe 0xe011cfd0 0xe11ab1a1 0xfeedface 0xfeedfacf 1000000 128 12:00:00 152 15mb 164 17d0ada8f5610ff29f2e8eaf0e3bb578 185 185/conn 2019 2020 2021 2022 2023 2024 21last 231 23:59:59 244 336a0d6f8cc92bf9740ce17de600463b 35f650c94faf6a2068e8238dd99edbea 393065ef9754e3f39b24b2d1051eab61 3bb44c0dd7f424864d76d4df09538cb6 3bcf741bf6411c087415ba340000004c8d05f28 66bb 6bc4a92ff4d2cfc9da91ae6a5d2ad3d5 6f:97:f1:3d:a5:5e:9f:70:a6:92:7e:d1:b3:3e:ee:ee 8222352a61eacca3a1c6517956aa0b55 8585c0000498b0f4c8b497045 9991ce9d2746313f505dbf0487337082 |
| Tags | Ransomware Malware Tool Threat Patching Medical Cloud |
| Stories | APT 41 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.