The recently contacted organization is China-based hacking group APT41 that attacked global shipping, logistics, media, entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U. K. Since 2023, APT41 compromised and maintained persistence in victim’s network for years trying to exfiltrate sensitive data.
APT41 uses web shells such as ANTSWORD and BLUEBEAM, and custom loaders such as DUSTPAN and DUSTTRAP and public domain tools namely SQLULDR2 and PINEGROVE. They maintain persistence, bring in other attachments, and then transfer valuable data out. To the same, DUSTPAN loads Cobalt Strike Beacon for the C&C connection, and DUSTTRAP for decrypting and spawning the maliciou Sinhala payloads.
They use SQLULDR2 to transfer data from Oracle Databases and hence use PINEGROVE to share vast data sets with high levels of sensitivity using the Microsoft OneDrive application. The malware families DUSTPAN and DUSTTRAP have similarities with the DodgeBox and MoonWalk, which means a wider threat system.
What can be mentioned as the main distinctive feature of DUSTTRAP, it comes equipped with the multi-stage plugin execution environment which allows for performing a shell command execution, file operation, process manipulation, etc. The malware components were code-signed with stolen certificates, which is an additional factor of the threat.
This breach brings into the spotlight just how necessary it is to implement comprehensive cybersecurity strategies that can combat such sophisticated threats and safeguard the globe’s essential facilities.