Threat Groups Series: APT 41

To kick off my threat groups series, I've decided to start with APT 41, highly suspected to be based out of China. Source of a large amount of groups with varied capabilities, Chinese threat groups offer us a large cohort to assess.

Note: All information in this and subsequent blog posts is open-source information compiled from the sources referenced at the bottom of the page. None of this information is derived from paid or private sources.

APT 41

APT 41, also known as WICKED PANDA and Barium, is a cyber espionage group that has been observed overlapping toolsets between state-sponsored and e-crime operations. First observed as far back as 2012, it has conducted a variety of operations against an array of sectors, including but not limited to video game, telecom, hi-tech, and healthcare entities.

One of APT 41's most significant pieces of malware covered in reporting is MESSAGETAP.

MESSAGETAP has the ability to data mine telecommunications data and correlate it to associated identifiers.

MESSAGETAP is a data mining malware family deployed by APT 41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. -MITRE

The malware contains lists that have the specific identifiers such as phone numbers and IMSI numbers that it uses as part of its configuration to extract the desired information from its sniffed traffic.

Most recently, APT 41 has been linked by security researchers to the MoonBounce UEFI rootkit. It is a persistent piece of malware that resides on a system's firmware and has the capability to deploy additional stages of malicious code on the target endpoint.

Lastly, ShadowPad is another piece of malware attributed to this threat actor. MITRE reports that ShadowPad a backdoor that collects system information and communicates back to adversary infrastructure. I was able to locate a sample on MalwareBazaar and pulled it down for some cursory analysis in PeStudio.