Blackberry’s Research and Intelligence Team has uncovered three phishing schemes targeting Indian nationals, and says a Chinese state-sponsored malware gang is the culprit.
Blackberry identified the responsible party as APT41 – a prolific Chinese state-sponsored cyberthreat group that has carried out what Fireye called “espionage activity in parallel with financially motivated operations” since at least 2012. The group targets many industries, including travel, telecommunications, healthcare, news, and education.
Blackberry says it joined the dots between phishing in India and APT41 by monitoring previously documented activity associated with commercial malware called “Cobalt Strike”. The action Blackberry spotted used a bespoke, malleable command-and-control (C2) profile that displayed similarities to other attacks.
The researchers found sufficient grounds to associate past and new campaigns by identifying nearly identical HTTP GET profile blocks and mapping out similarities in Beacon configuration data. A few clusters with unique configuration metadata suggested association with APT41.
The cyber attackers didn’t vary the domains used in their raids, with themes evident in naming naming conventions. Some posed as legitimate Microsoft sites, replacing an “i” with an “l” or sometimes omitting a letter. Those similarities provided further hints of connections between campaigns.
Through their investigation tactics, the Blackberry squad uncovered three phishing lures targeting Indian nationals, masquerading as government communications about taxes or COVID-19.
The phishing lures – an favourite APT41 tactic typically used in conjunction with information stealers, keyloggers and backdoors – loaded and executed Cobalt Strike Beacons onto the target’s network. Once on the user’s machine, the threat blended in, using a customized profile to shield its network traffic.
The three phishing lures came in the form of PDFs to distract the user while shady activity went on in the background. One scheme used an embedded PowerShell script, one a self-extracting archive, and another a zip file.
“We were able to uncover what we believe is additional APT41 infrastructure by taking these unique aspects and following the trail of digital breadcrumbs. Overlapping indicators of compromise (IOCs) linked the trail of our findings to those of two additional campaigns documented by Positive Technologies and Prevailion,” wrote Blackberry in a blog post.
“These findings show that the APT41 group is still regularly conducting new campaigns, and that they will likely continue to do so in the future,” Blackberry’s researchers warned. ®