The China-linked superior persistent menace (APT) group codenamed APT41 is suspected to be utilizing an “superior and upgraded model” of a identified malware known as StealthVector to ship a beforehand undocumented backdoor dubbed MoonWalk.
The brand new variant of StealthVector – which can be known as DUSTPAN – has been designated DodgeBox by Zscaler ThreatLabz, which found the loader pressure in April 2024.
“DodgeBox is a loader that proceeds to load a brand new backdoor named MoonWalk,” safety researchers Yin Hong Chang and Sudeep Singh stated. “MoonWalk shares many evasion strategies carried out in DodgeBox and makes use of Google Drive for command-and-control (C2) communication.”
APT41 is the moniker assigned to a prolific state-sponsored menace actor affiliated with China that is identified to be energetic since at the least 2007. It is also tracked by the broader cybersecurity neighborhood underneath the names Axiom, Blackfly, Brass Storm (previously Barium), Bronze Atlas, Earth Baku, HOODOO, Purple Kelpie, TA415, Depraved Panda, and Winnti.
In September 2020, the U.S. Division of Justice (DoJ) introduced the indictment of a number of menace actors related to the hacking crew for orchestrating intrusion campaigns focusing on greater than 100 corporations the world over.
“The intrusions […] facilitated the theft of supply code, software program code signing certificates, buyer account information, and invaluable enterprise data,” the DoJ stated on the time, including in addition they enabled “different legal schemes, together with ransomware and ‘crypto-jacking’ schemes.”
Over the previous few years, the menace group has been linked to breaches of U.S. state authorities networks between Might 2021 and February 2022, along with assaults focusing on Taiwanese media organizations utilizing an open-source crimson teaming instrument generally known as Google Command and Management (GC2).
The usage of StealthVector by APT41 was first documented by Development Micro in August 2021, describing it as a shellcode loader written in C/C++ that is used to ship Cobalt Strike Beacon and a shellcode implant named ScrambleCross (aka SideWalk).
DodgeBox is assessed to be an improved model of StealthVector, whereas additionally incorporating numerous strategies like name stack spoofing, DLL side-loading, and DLL hollowing to evade detection. The precise technique by which the malware is distributed is presently unknown.
“APT41 employs DLL side-loading as a way of executing DodgeBox,” the researchers stated. “They make the most of a legit executable (taskhost.exe), signed by Sandboxie, to sideload a malicious DLL (sbiedll.dll).”
The rogue DLL (i.e., DodgeBox) is a DLL loader written in C that acts as a conduit to decrypt and launch a second-stage payload, the MoonWalk backdoor.
The attribution of DodgeBox to APT41 stems from the similarities between DodgeBox and StealthVector; the usage of DLL side-loading, a way extensively utilized by China-nexus teams to ship malware akin to PlugX; and the truth that DodgeBox samples have been submitted to VirusTotal from Thailand and Taiwan.
“DodgeBox is a newly recognized malware loader that employs a number of strategies to evade each static and behavioral detection,” the researchers stated.
“It presents numerous capabilities, together with decrypting and loading embedded DLLs, conducting surroundings checks and bindings, and executing cleanup procedures.”