Technology, logistics, shipping, and automotive organizations across Asia and Europe, particularly Taiwan, Thailand, Turkey, Italy, Spain, and the UK, have been subjected to malware attacks by Chinese state-sponsored threat operation APT41 since last year, with the group recently expanding intrusions against similar entities in Singapore, reports SecurityWeek.
APT41, also known as Wicked Panda, Barium, and Winnti, exploited Tomcat Apache Manager servers' web shells to facilitate dropper execution and backdoor distribution before leveraging the DUSTTRAP multi-stage plugin framework to conceal malicious activity, according to a report from Mandiant. Such attacks also involved the usage of a command-line utility to enable Oracle database exfiltration. "The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic," said researchers. Such attack techniques show an evolution from the hacking group's initial utilization of UEFI firmware implants, software supply chain breaches, and stolen digital certificates.
