Prolific hacking group APT41 exploited COVID-19 fears, reveals BlackBerry
October 2021 by Dean Given and T. J. O’Leary, Threat Researchers at BlackBerry
BlackBerry’s Research & Intelligence team has revealed a state-sponsored campaign that looks to exploit people’s hopes for a swift end to the pandemic in a bid to entrap its victims. Once on a user’s machine, the threat blends into the digital woodwork by using its own customised profile to hide its network traffic.
Connecting the dots between seemingly disparate malware campaigns, BlackBerry has been able to link prolific Chinese cyber threat group, APT41, to the campaign.
It shows that the group has exploited Cobalt Strike software using a bespoke Malleable C2 Profile – the group uses publicly available profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and others. This tactic was first used in a blog post, published the same month as COVID-19 lockdowns began in Europe and the U.S.
Techniques include phishing lures targeting victims in India, containing information related to new tax legislation and COVID-19 statistics. These messages masqueraded as being from Indian government entities.
APT41 has led malware campaigns related to financially motivated criminal activity and espionage dating as far back as 2012. This group has targeted organisations globally across a number of sectors travel including healthcare, news, education and telecoms.
These findings show that the APT41 group is still regularly conducting new campaigns, and that they will likely continue to do so in the future.