A recently analyzed Chinese cyber-espionage and financially-focused threat actor was observed targeting a web server at a U.S.-based research university, FireEye’s security researchers report.
Tracked as APT41, the threat actor has been active since at least 2012, and has been engaging in both state-sponsored espionage activities and financially-motivated operations since 2014. It has been observed targeting the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.
Unlike other Chinese threat groups, APT41 was seen using non-public malware typically reserved for espionage campaigns in cyber-crime attacks. The hackers move laterally within the compromised networks, pivoting between both Windows and Linux systems, and are known to have used over 46 different malware families and tools in their operations.
In April 2019, the group targeted a publicly-accessible web server at a U.S.-based research university, exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server, for path traversal and remote code execution.
The attackers used custom JSON POST requests to run commands and force the vulnerable system to download an additional file, which was identified as a variant of the China Chopper web shell.
Next, the attackers downloaded two additional files onto the system, the first of which was used to deploy the HIGHNOON backdoor, which consists of a loader, a dynamic-link library (DLL), and a rootkit. The DLL may deploy additional drivers to conceal network tra ..
Support the originator by clicking the read the rest link below.
