July 11, 2024 at 09:38PM
APT41, a Chinese government-backed cyber espionage group, has added DodgeBox loader and MoonWalk backdoor to their malware toolbox. Zscaler’s ThreatLabz team attributes these new tools to APT41, indicating financially motivated crimes. DodgeBox exhibits advanced capabilities and evasive techniques, with MoonWalk using Google Drive for command-and-control communication. More details on MoonWalk to come.
Key Takeaways from the Meeting Notes:
1. APT41, a Chinese government-backed cyber espionage group, has incorporated a loader called DodgeBox and a backdoor called MoonWalk into its malware arsenal, according to research by Zscaler’s ThreatLabz team.
2. APT41, also known as Barium, Wicked Panda, Wicked Spider, and Earth Baku, is associated with the Chinese Ministry of State Security and has engaged in both digital espionage and financially motivated crimes.
3. The US government has charged APT41 members with infiltrating over 100 computer networks worldwide.
4. Zscaler’s analysis attributes the observed intrusions to APT41 with medium confidence, based on identified tactics, techniques, and procedures (TTPs) and the similarity between DodgeBox and StealthVector malware.
5. DodgeBox has been observed with samples submitted from Thailand and Taiwan, aligning with APT41’s previous targeting of users in the Southeast Asian region.
6. DodgeBox, similar to StealthVector, is a shellcode loader with encryption capabilities, environmental checks, and techniques to evade detection.
7. DodgeBox resolves multiple APIs during setup, employs a salted FNV1a hash for DLL and function names to evade detection, and drops the MoonWalk backdoor after passing checks and decryption procedures.
Please let me know if you need further details or any additional information from these meeting notes.