China’s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload

An analysis of China-backed advanced persistent threat (APT) actor APT41’s activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems.

Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance. 

So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China, India, Taiwan, and Vietnam. 

The security vendor concluded that the actual number of APT41’s victims could be much higher,
based — among other things — on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.

Puzzling Payload Deployment Strategy for Cobalt Strike

One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.

In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.

Nikita Rostovcev, an analyst within Group-IB’s APT

Read more

Explore the site

More from the blog

Latest News