The Blackfly cyberespionage group, aka APT41, Winnti Group, and Bronze Atlas, has been actively targeting Asian entities. Recently, this Chinese state-sponsored group focused on two subsidiaries of a prominent Asian conglomerate, which specialize in materials and composites. This attack comes right on the heels of another distinct campaign against the Asian materials sector.
Diving into details
The operation ran from late 2022 to early 2023, with a focus on intellectual property theft. Blackfly leveraged the Winnkit backdoor, Mimikatz, ForkPlayground, and several other tools for credential dumping, capturing screenshots, SQL querying, process hollowing, and proxy configuration.
Active since at least 2010, APT41 used PlugX, ShadowPad, and Winnti backdoor in its earlier attacks. While it made its name by targeting the gaming sector, the threat actor has now branched out its attack scope across multiple sectors for the purpose of intelligence gathering.
The Clasiopa campaign
Roughly a week ago, the Clasiopa hacker group was found targeting Asian organizations operating in the materials research sector with a diverse toolset, containing Atharvan RAT, modified strains of Lilith RAT, Thumbsender hacking tool, and a custom proxy tool.
- The threat actor is suspected to gain access to public-facing servers by brute-forcing accounts.
- Atharvan, a custom RAT, provides various advanced features, one of which is its capability to be configured for scheduled communication with the C2 server.
Moving on from materials sector
Apart from the materials sector, threat actors have been targeting various sectors in Asia with different schemes.
- A new threat actor, named Hydrochasma, was discovered targeting medical labs and shipping companies in Asia.
- The group has been primarily targeting industries associated with COVID-19 vaccines or treatments.
- Last month, hackers got hold of login credentials for data centers in Asia, including Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres.
The bottom line
Symantec has provided IOCs to detect and mitigate any threat due to the malicious activity of the Blackfly group, which is seemingly unaffected by the publicity generated by the U.S. indictment against it. This group, which is one of the longest-standing Chinese APT groups, has been involved in cyberespionage and financially-motivated attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a64a_shutterstock_2192606505.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/b234_shutterstock_1889662783.jpg)
