A China-backed threat group Best known for cyberespionage campaigns targeting organizations in Asia, AWS Inc. is expanding its reach into new regions including Europe, the Middle East and Africa (EMEA), with attacks leveraging new malware and living-off-the-land (LoL) techniques to increase its presence.

Earth Baku, another spin-off group associated with the highly productive APT41is currently targeting organizations in Italy, Germany, the United Arab Emirates (UAE), and Qatar, and is leveraging command-and-control (C2) infrastructure in Georgia and Romania, Trend Micro researchers said.

The regional shift represents a recent change in strategy for the advanced persistent threat actor APT41, which has been actively monitored since at least 2012 and typically targets the Asia-Pacific region, a recent blog post by Trend Micro researchers Ted Lee and Theo Chen. Mandiant also recently observed that APT41 is involved in an ongoing cyber espionage campaign against organisations across multiple sectors in the UK and countries in Europe, in addition to Taiwan, one of the main countries where it typically operates.

In other recent attacks in new regions, the actor is also diversifying its malware and tactics by using public applications such as IIS servers for initial access and deployment of the Godzilla Webshell for persistence and command-and-control (C2), according to Trend Micro. Other loaders such as StealthVector and StealthReacher that were used in the campaign to deliver APT41’s latest modular backdoor, SneakCross, show that Earth Baku is strengthening its detection evasion capabilities, the researchers noted.

Earth Baku has also deployed several new post-exploitation tools that show the group combining both custom and publicly available tools, including the Rakshasa Hardware BackdoorTailScale for persistence and MEGAcmd for efficient data exfiltration, allowing the group to move larger volumes of stolen data more efficiently, the researchers noted.

What all this means is that APT41 not only another subgroup does the dirty work, but it also has an “evolving and increasingly sophisticated threat profile, which could pose significant challenges to defending against cyberattacks,” they noted in the post.

Evolving APT41 Tools and Tactics

APT41 in an umbrella descriptor for a dangerous collective of Chinese threat groups — also known as Winnti, Wicked Panda, Barium, and Suckfly — who stole trade secrets, intellectual property, health care-related data, and other sensitive information from U.S. organizations and entities around the world on behalf of the Chinese government. Four years ago, the U.S. government five members of APT41 charged for activities related to attacks on more than 100 companies worldwide. However, the group remains very active, thanks in part to spin-offs like Earth Baku that keep its activities fresh with new tools and tactics.

Trend Micro tracked Earth Baku through a series of recent attacks in EMEA that provide insight into new tactics and tools, including StealthVector. The malware is a custom backdoor loader that the group uses to launch further binaries in stealth mode; it is also an update to one discovered earlier in 2021, the researchers noted.

“While its configuration structure has changed little, it now uses AES as the encryption algorithm instead of custom ChaCha20,” they wrote. “In some variants, we also observed a code virtualizer used for code obfuscation, making the malware harder to analyze. It also inherited other defensive evasion techniques to ensure the backdoor components were executed stealthily.”

Trend Micro also discovered another malware, SneakCross, a modular backdoor that uses Google services for its C2 communication and Windows Fibers to evade detection of network protection products and endpoint detection and response (EDR) solutions. The malware is likely a successor to APT41’s previous modular backdoor, ScrambleCross; modularity allows the attacker to “easily update its capabilities, modify its behavior, and tailor functionality for different scenarios,” the researchers wrote.

Also notable in the latest Earth Baku attacks are post-exploitation activities that deploy a range of additional tools to maintain persistence, scale privileges, and enable data discovery and exfiltration.

Protecting environments from advanced APTs

As APT41 continues to strengthen its tools and tactics for greater sophistication and agility, Trend Micro recommends organizations also strengthen their defenses, using the principle of least privilege to restrict access to sensitive data and closely monitor user permissions. This will make it harder for attackers to move laterally within a corporate network, the researchers noted.

Defenders must also regularly update systems and applications and enforce strict patch management policies to close security gaps in their systems. They must also develop defenses to identify and mitigate threats in the event of a breach.

Additionally, by implementing the so-called “3-2-1 backup rule” and keeping at least three copies of corporate data in two different formats (including a protected copy stored offsite), organizations can ensure that data remains intact even in the event of a successful attack, the researchers said.