APT41, a sophisticated threat actor, has been observed maintaining a persistent presence on gambling company networks for nine months. This group utilizes custom tools and techniques, including phantom DLL hijacking and WMIC JavaScript loading, to achieve their objectives. These tactics have been particularly effective in evading detection and establishing long-term access. The group’s continued focus on the gambling industry underscores the sector’s vulnerability to advanced cyber threats, demanding enhanced security measures and vigilance to counter these sophisticated attacks.
Grandoreiro, a Brazilian banking trojan, has evolved since 2016 to become a global threat, targeting 1,700 banks and 276 crypto wallets in 45 countries. Despite arrests of some operators, the group remains active, with new versions featuring updated code and lighter versions focused on Mexico. The trojan’s infection chain typically starts with phishing emails containing malicious ZIP archives that download the Grandoreiro payload.
APT41, a sophisticated threat actor, has been observed targeting the gambling industry with custom tools and achieving prolonged persistence, spanning nine months. Their tactics involve phantom DLL hijacking and WMIC JavaScript loading, allowing for stealthy operations and extended presence within victim networks. This activity highlights the growing interest of advanced threat actors in the gambling sector, demanding enhanced security measures to counter such persistent threats.
APT41 has been observed utilizing call stack spoofing techniques to evade detection by EDR and other security software. Call stack spoofing involves constructing a fake call stack that mimics a legitimate call stack, obscuring the true origin of function calls and hindering analysis. This technique was observed in the Dodgebox malware, which was used by APT41 to trick antivirus and EDR software that rely on stack call analysis for detection. The malware retrieves the address of functions, such as NtCreateFile, and manipulates the call stack to hide the true origin of the function call. This technique highlights the evolving tactics used by sophisticated threat actors and emphasizes the need for advanced detection and mitigation strategies to counter these evasive techniques.
APT41 has implemented a new technique called call stack spoofing to evade detection by EDR software. This technique involves constructing a fake call stack that mimics a legitimate one, hiding malicious activity from security software. The fake call stack is created using a combination of specific instructions and data manipulation, allowing APT41 to execute malicious code without triggering alarms.