Assertion on APTs recent activities

Advance Persistence Threats recent targeted espionage and collaboration.

In this particular we will see the matching patterns in malware targeted codes by APTs recently being observed in organised cyber crime activities.

APT-C-41, APT40, APT28, APT39, APT29,UNC2452, UNC2546, APT37 and APT38.

Starting off from StrongPity and Chinese APT tool SManager.

Entry function of both the malware from APT-C-41 and APT40 are quiet similar. Where StrongPity uses executable as backdoor on the other hand APT40 uses .dll for its cyber espionage tool for its targets.

Entry Function: Espionage Tool from Chinese APT. (APT40) & Backdoor from APT-C-41 (StrongPity) (Turkish APT).

Looking at the “system_info_fetcher” and “thread_ps_info_store” functions in both samples we can conclude that this function is found responsible for fetching all the details of the system. Both functions mentioned below.

System Info Fetching Function: Espionage Tool from Chinese APT. (APT40) & Backdoor from APT-C-41 (StrongPity) (Turkish APT).

And function next to both of these function on these sample is sort of main function that does the system triage via the malicious dll loading and file operations on the system.Both the functions mentioned below.

System Triage Function: Espionage Tool from Chinese APT. (APT40) & Backdoor from APT-C-41 (StrongPity) (Turkish APT).

Mitre Att&ck Common Techniques [ TTPs]

For APT-C-41 (StrongPity) ( Turkish APT) TTPs
For APT40 (Chinese APT) TTPs

Moving on to the next assertion on APTs collaboration.

Assertion of APT40 and APT28 collaboration from APT40 “SManager” backdoor and APT28 “ZebrocyNim Keylogger and ComRat”.

In the samples of APT40 and APT28 , SManager Backdoor , Zebrocy Nim Keylogger and ComRat Remote Access Tool Entry function is similar to previous assertion whereas what’s interesting here in this asserted collaboration is that way these samples communicate with the Command and Control Servers (C&C).

Communication with C2 server: Upper Call Graph and Function Code is of the SManager (APT40) and Lower Code and Call Graph is of the ComRat (APT28).

Mitre Att&ck Common Techniques [ TTPs]

In Left: ComRAT by APT28 . In Right: Zebrocy Nim by APT28 TTPs
APT40(Chinese APT) TTPs.

Moving on to the next assertion on APT39 and UNC2452 collaboration

This time malware is made in .Net , samples for the this assertion are of MuddyWater from Iranian APT group and malware observed in the targeted SolarWinds Orion hacks Sunburst and SUPERNOVA.

Way these samples were developed have several similar patterns.

Main Activity function: In Right is the “ScreenConnect” function from MuddyWater Malware (APT39) and In Left is the “DynamicRun” function SUPERNOVA Malware from UNC2452(APT29).

Mitre Att&ck Common Techniques[TTPs]

MuddyWater (APT39) Malware TTPs
SUPERNOVA UNC2452 (APT29) TTPs.

Moving on to Last assertion on collaboration of UNC2452 (APT29), APT38 ,APT37, APT40 and APT39.

Either these APTs if developing C/C++ based malware they deploy socket dynamic link library for creating service that communicate with the C&C server or they if the deploy the method of Pipe Server for communication for the command and control server.

These are samples from APT40, APT39, UNC2452 (APT29), APT38.

Mitre Att&ck Common Techniques [ TTPs ]

(UNC2452) APT29, APT38 ,APT37, APT40 and APT39 common TTPs.

Indicators of Compromise [ IOCs ]

tweeted by me a day ago.

Conclusion:

For you’all asking me how i cited that SManager to APT40 instead of APT17 it’s because of following blog in the References which is the research from Cyber Security Firm “FireEye” from around early 2020 days in which Chinese APT40 had cited “APT17" was cited with Connection with the APT40. And for those who was asking that how i cited UNC2452 (must be part of APT29) as culprit in this espionage operations is because of U.S. Government accused Russian GRU & Chinese Govt. Hackers for SolarWinds Orion Hacks. Their is active threat report about Chinese APT from Reuters recently.

References

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store