APT41 - TOUGHPROGRESS malware analysis

in data

Important elements of the analysis:

  • Chinese APT group
  • Compiled on 23rd September, 2024
  • Retpoline references
  • Victim host information gathering
  • User information and settings gathering
  • C&C communications hidden with Google Calendar APIs
  • Victim IP address details gathering
  • JSON structure for C&C communications
  • PDF decoy files
  • JPG files in archives used to spread the threat
  • Anti-debugging and anti-VM
  • Persistence threat


APT41 is a chinese cyber criminal group that targeted multiple industries in technology and logistics fields.

In this article we will analyze an APT41 malware sample, developed in C++ and compiled on 23rd September, 2024.





In the 6th section of the PE we can see Retpoline references, which is a software solution that uses return operations to isolate indirect branches.



We can see, as following screenshots, functions associated to files copying, folders creation, mutexes creation, threads creation, pointers encoding, system locales enumeration and local time information gathering.




The ComputerName attribute is retrieved with the function GetComputerNameExW:



The function K32GetProcessImageFileNameW is used to get details about the executable of a specific process.


The user information are gathered and details about registry keys and registry entries are enumerated and obtained. The processes are launched by impersonating the logged on user and the accont SID is got.



Here are a lot of details about the HTTP requests functions, like for example WinHttpConnect, WinHttpOpenRequest, WinHttpReadData, WinHttpSendRequest but also the function GetAdaptersInfo to get the details about the installed local adapters on the infected machine.





APT41 threats uses Google Calendar APIs, URLs and Google OAuth2 to hide its malicious commands via C&C communications and instances. We can see evidences related to /events section in the Google Calendar API URL, the dates from 30th July 2023, the used useragent. The artifact gathers information about the IP Address of the infected machine (api[.]ipify[.]org), we can see there are also details about LastBootTime. ProgramData folder is also enumerated and the registry keys HKEY_CLASSES_ROOT , HKEY_USERS and APPDATA are accessed to get details about user's settings.


We can also see the data type of the C&C requests is JSON:





Here is the same evidence gathered with another debugging phase of the analysis:




The System locales are also obtained:


By examining the extracted strings from the PE we can have evidence about PDF file structures, including the ID, the Producer (222 PDF Library), modify date (23rd October of 2024 on disk D). Those PDF files are decoy files.


Here we have one of the C&C commands (GOCSPX-...)


Here we can see entropy and bytes distribution of the threat:



The entropy of the .text section (CPU instructions) is 6.76283:





Here are some further details about the PE sections size:




The entrypoint of the .text section is 0x000C7FE0:







The ADVAPI32.dll library is used to access registry data and WINHTTP.dll, IPHLPAPI.dll are used to deal with C&C communications and commands:


The APT41 sample TOUGHPROGRESS uses functions that are used to enumerate files, create directories, delete files (for example FindFirstFileExW, CreateDirectoryW, DeleteFileW). The malware calls the function GetEnvironmentStringsW to gather execution environment details and information but also drives details with the call to the function GetLogicalDriveStringsW.


There is also an attempt to access as local user with LogonUserA function after LookupAccountSidA function call:

In combination there is the gathering of the username with GetUserNameW function:




APT41 checks the presence of a debugger and checks the current timestamp to avoid sandboxes and virtual machines executions:



Here is a reference to the COMMAND_LINE attribute in C&C communications sessions:


The registry key under SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost is used to load the malicious and persistent services:


Here's a reference to Google Calendar API calls which are used to hide C&C communications and sessions:


By performing a malware debugging session we can have evidence of loaded DLLs and, in particular, winhttp.dll, iphlpapi.dll (which references for example to the functions related to ICMP echos, GetIpForwardTable which can be called to get the IPv4 routing tables), advapi32.dll (used by the threat for registry operations).



Here we have the evidence of the access to the registry key HKEY_CURRENT_USER, which contains the user's settings and information:


Here we have a detail related to the image file 7.jpg associated to a file contained in the archives used to spread the threat:


Here we have a reference to the HTTP authentication scheme Authorization Bearer:


The JSON format option is specified in the Set-Cookie function call:


By performing a dynamic process dump analysis we can see registry access to the key HKLM\System\CurrentControlSet\Services\bam\State\UserSettings (and Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings) and HKCU\Software\Classes\LocalSettings\Software\Microsoft, which also contains information and details about applications configurations.





Here we have the evidence of gathering of victim IP address:


Before proceeding to winhttp DLL library functions calls to perform C&C communications we can see the execution of the function ActiveComputerName which can be used to obtain the hostname to identify the infection session:



IOCs:

  • f693c2f555c754f129c3fe2556755fc37db9bc623cf6f507c87d6cfeb53b1a3d
  • 5c0f33f49e82e8f99660a98ce7d387eeb3e4c550
  • 79b949d4d1157becc6f3bde0860fc5e5
  • GOCSPX
  • 7.jpg
YARA Rule:

rule APT41_23092024
{
    strings:
        $str = "GOCSPX-7lhZzdaITRrR07"
        $hex = { 47 4f 43 53 50 58 2d 37 6c 68 5a 7a 64 61 49 54 52 72 52 30 37 }
        $str1 = "7.jpg"

    condition:
        ($str or $hex) and $str1
}