APT41 has been observed utilizing call stack spoofing techniques to evade detection by EDR and other security software. Call stack spoofing involves constructing a fake call stack that mimics a legitimate call stack, obscuring the true origin of function calls and hindering analysis. This technique was observed in the Dodgebox malware, which was used by APT41 to trick antivirus and EDR software that rely on stack call analysis for detection. The malware retrieves the address of functions, such as NtCreateFile, and manipulates the call stack to hide the true origin of the function call. This technique highlights the evolving tactics used by sophisticated threat actors and emphasizes the need for advanced detection and mitigation strategies to counter these evasive techniques.
EDRSilencer is a red team tool that has been observed being abused by threat actors to disrupt endpoint detection and response (EDR) solutions. It achieves this by blocking EDR traffic, making it harder for EDR solutions to identify and respond to malicious activity. This tool was discovered by Trend Micro, they also found that EDRSilencer can be used to conceal malicious activity, allowing threat actors to operate more stealthily. This represents a worrying development in the field of cybersecurity, with threat actors increasingly focusing on evading detection by EDR solutions.
APT41 has implemented a new technique called call stack spoofing to evade detection by EDR software. This technique involves constructing a fake call stack that mimics a legitimate one, hiding malicious activity from security software. The fake call stack is created using a combination of specific instructions and data manipulation, allowing APT41 to execute malicious code without triggering alarms.