APT41’s PowerShell Backdoor Let Hackers Download & Upload Files From Windows

Researchers from Threatmon uncovered a targetted PowerShell backdoor malware attack from APT41 that bypasses the detections and allows threat actors to execute commands, download and upload files, and gather sensitive information from compromised Windows systems.

Since 2012, the Chinese cyber espionage group APT41 (aka Wicked Panda) has used advanced tactics, techniques, and procedures (TTPs). They use custom-built malware and tools such as a PowerShell backdoor in their malicious arsenal.

Microsoft Windows comprises the built-in scripting language PowerShell, and it can manage the system configurations and automate administrative tasks.

“By exploiting this functionality, APT41’s PowerShell backdoor circumvents conventional security measures, enabling it to infiltrate target systems, Alp Cihangir ASLAN & Seyit SIGIRCI Malware Analyst’s from Threat Intelligence Firm, ThreatMon Reported to Cyber Security News.

“The group is also known for using a wide range of sophisticated tools and techniques, including custom malware, supply
chain attacks, and the exploitation of vulnerabilities in software and hardware.”

PowerShell Backdoor

APT41’s PowerShell backdoor is crafted to operate covertly and maintain its presence over extended periods, frequently featuring as a secondary payload in targeted assault scenarios.

Following installation, the backdoor empowers APT41 to perform the following illicit activities on the compromised systems:-

  • Execute commands
  • Download files
  • Upload files
  • Extract confidential data

The sophisticated APT41’s PowerShell backdoor underscores the importance of robust security measures for organizations to counter advanced threats.

Technical analysis

APT41’s notorious track record of high-profile cyber attacks like the 2017 Equifax data breach shows its sophistication and abilities.

To evade detection and prevent reinfection, the malware employs a clever tactic by creating a mutex named ‘v653Bmua-53JCY7Vq-tgSAaiwC-SSq3D4b6’ before execution.

However, the termination with a return value of 1 occurs if mutex creation is unsuccessful.

The malware initiates its execution process by systematically placing its payloads in the Windows Registry. The first payload is implemented using a LOLBin called “forfiles.exe.” 

All these “living-off-the-land-binaries” or Lolbins are genuine system tools that threat actors abuse to perform several illicit activities.

The Forfiles tool, primarily used for searching, can also execute commands, making it a target for AV bypass using LOLBins

A command is automatically executed during system login via the HKCU\Environment\UserInitMprLogonScript key for persistence.

Then under “HKEY_CLASSES_ROOT\abcdfile\shell\open\command\abcd” the obfuscated PowerShell payload is composed by using another LOLBin:-

  • SyncAppPublishingServer.vbs

The final payload is an unconventional PowerShell backdoor capable of infecting removable devices and utilizing Telegram as a C2 server.

Now, the backdoor transmits system information and IP address to the C2 server by leveraging ip-API.

Cybersecurity analysts at ThreatMon urged proactive security practices are necessary for organizations to stay ahead of evolving malicious tactics.

Indicators Of Compromise (IOC)

  • SHA-256 HASH: bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8
  • db533cf4428
  • SHA-256 HASH: d71f6fbc9dea34687080a2e12bf326966f6841d51294bd665261e0
  • 7281459eeb
  • URL: hXXps://raw.githubusercontent[.]com/efimovah/abcd/main/xxx.gif
  • URL: hXXp://ip-api[.]com/json

Building Your Malware Defense Strategy – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.