The China-linked superior persistent risk (APT) group codenamed APT41 is suspected to be utilizing an “superior and upgraded model” of a recognized malware referred to as StealthVector to ship a beforehand undocumented backdoor dubbed MoonWalk.
The brand new variant of StealthVector – which can be known as DUSTPAN – has been codenamed DodgeBox by Zscaler ThreatLabz, which found the loader pressure in April 2024.
“DodgeBox is a loader that proceeds to load a brand new backdoor named MoonWalk,” safety researchers Yin Hong Chang and Sudeep Singh mentioned. “MoonWalk shares many evasion strategies applied in DodgeBox and makes use of Google Drive for command-and-control (C2) communication.”
APT41 is the moniker assigned to a prolific state-sponsored risk actor affiliated with China that is recognized to be lively since at the least 2007. It is also tracked by the broader cybersecurity neighborhood below the names Axiom, Blackfly, Brass Storm (previously Barium), Bronze Atlas, Earth Baku, HOODOO, Crimson Kelpie, TA415, Depraved Panda, and Winnti.
In September 2020, the U.S. Division of Justice (DoJ) introduced the indictment of a number of risk actors related to the hacking crew for orchestrating intrusion campaigns focusing on greater than 100 firms the world over.
“The intrusions […] facilitated the theft of supply code, software program code signing certificates, buyer account information, and priceless enterprise data,” the DoJ mentioned on the time, including additionally they enabled “different prison schemes, together with ransomware and ‘crypto-jacking’ schemes.”
Over the previous few years, the risk group has been linked to breaches of U.S. state authorities networks between Might 2021 and February 2022, along with assaults focusing on Taiwanese media organizations utilizing an open-source crimson teaming device often known as Google Command and Management (GC2).
The usage of StealthVector by APT41 was first documented by Pattern Micro in August 2021, describing it as a shellcode loader written in C/C++ that is used to ship Cobalt Strike Beacon and a shellcode implant named ScrambleCross (aka SideWalk).
DodgeBox is assessed to be an improved model of StealthVector, whereas additionally incorporating numerous strategies like name stack spoofing, DLL side-loading, and DLL hollowing to evade detection. The precise technique by which the malware is distributed is presently unknown.
“APT41 employs DLL side-loading as a method of executing DodgeBox,” the researchers mentioned. “They make the most of a reputable executable (taskhost.exe), signed by Sandboxie, to sideload a malicious DLL (sbiedll.dll).”
The rogue DLL (i.e., DodgeBox) is a DLL loader written in C that acts as a conduit to decrypt and launch a second-stage payload, the MoonWalk backdoor.
The attribution of DodgeBox to APT41 stems from the similarities between DodgeBox and StealthVector; the usage of DLL side-loading, a way broadly utilized by China-nexus teams to ship malware similar to PlugX; and the truth that DodgeBox samples have been submitted to VirusTotal from Thailand and Taiwan.
“DodgeBox is a newly recognized malware loader that employs a number of strategies to evade each static and behavioral detection,” the researchers mentioned.
“It affords numerous capabilities, together with decrypting and loading embedded DLLs, conducting setting checks and bindings, and executing cleanup procedures.”
