A recent investigation by Kaspersky MDR has uncovered a sophisticated cyberespionage attack targeting government IT services in Africa, orchestrated by the notorious Chinese-speaking threat group APT41.
Previously known for campaigns across telecom, energy, healthcare, and IT sectors in at least 42 countries, APT41’s expansion into Africa marks a significant escalation, given the continent’s historically low exposure to this group.
Malware Propagation via Impacket Modules
The attack began with the detection of suspicious activities across several workstations, highlighted by typical signs of the Impacket toolkit’s WmiExec and Atexec modules.
The attackers leveraged a chain of processes svchost.exe to exe to cmd.exe to execute commands whose results were logged to numerically named files on administrative shares.
The utilities enabled checking the connectivity to their command and control (C2) server, routed both directly through the internet and an internal organizational proxy.
The initial access point was an unmonitored and compromised host, which allowed the attackers to execute Impacket in the context of privileged service accounts.
After the attackers’ initial wave, there was a brief operational lull before lateral movement and privilege escalation resumed.
APT41 operators probed targeted hosts for running processes, open ports, and installed security products.
They swiftly escalated privileges using reg.exe to export SYSTEM and SAM registry hives, obtaining credentials later used for moving laterally using domain administrator accounts.
The malware distributed by APT41 including variants of Cobalt Strike and custom C# agents was dropped in directories like C:\WINDOWS\TASKS, C:\ProgramData, and user Downloads folders, with execution triggers delivered over WMI.
Advanced C2 Infrastructure
For persistent C2 communication, APT41 extensively used Cobalt Strike beacons in encrypted containers, decrypted and executed via DLL sideloading methods.
They abused legitimate applications such as cookie_exporter.exe (renamed and paired with malicious msedge.dll files) to load the payloads, and embedded language checks to evade analysis environments localized for China, Japan, or Korea.
Cobalt Strike persistence was ensured via malicious Windows services like “server power” configured to auto-launch via Command Prompt.
A critical part of the infrastructure was a compromised SharePoint server used as an internal C2 hub, hosting web shells (CommandHandler.aspx, upload.ashx) and serving commands to the malicious C# agents (agents.exe, agentx.exe).
According to the Report, the agents received and executed commands, siphoning off sensitive files and credential data, then uploading archives back to SharePoint using the SMB protocol.
Notably, implementation errors in agent-server communications sometimes caused error messages to execute as commands, exposing operator slip-ups.
APT41 deployed well-known stealers like modified Pillager and Checkout, both rewritten as DLLs for stealthy sideloading. Pillager scraped credentials, source code, system info, and browser data, while Checkout specialized in extracting browser history and credit card information.
RawCopy, a low-level disk reading tool, provided further access to registry hives. Mimikatz, another heavily obfuscated DLL, was side-loaded by java.exe for additional credential harvesting.
Retrospective analysis found remnants like Cobalt Strike in ProgramData folders and Neo-reGeorg web shell tunnels in IIS temp directories, allowing attackers to mask traffic and tool origins.
Attribution to APT41 was firm due to unique TTP overlaps, including the use of Cobalt Strike, Impacket, aggressive DLL sideloading, and characteristic C2 domains like s3-azure.com.
This incident highlights the critical importance of comprehensive endpoint monitoring, restricting administrative privileges, and minimizing credential overuse across an infrastructure.
APT41’s rapid adaptation to victim environments, abuse of legitimate tools for malware propagation, and clever internal C2 communication showcase the necessity for robust, organization-wide security coverage.
Indicators of Compromise (IOCs)
| Type | Indicator/Value |
|---|---|
| Files (MD5 Hash) | 2F9D2D8C4F2C50CC4D2E156B9985E7CA, 9B4F0F94133650B19474AF6B5709E773, A052536E671C513221F788DE2E62316C |
| 91D10C25497CADB7249D47AE8EC94766, C3ED337E2891736DB6334A5F1D37DC0F, 9B00B6F93B70F09D8B35FA9A22B3CBA1 | |
| … (list truncated; full details available in Kaspersky report) | |
| Domains | s3-azure.com, *.ns1.s3-azure.com, *.ns2.s3-azure.com, upload-microsoft[.]com |
| IPs | 47.238.184[.]9, 38.175.195[.]13 |
| URLs | hxxp://github[.]githubassets[.]net/okaqbfk867hmx2tvqxhc8zyq9fy694gf/hta, hxxps://www[.]msn-microsoft[.]org:2053 |
| Tools Used | Impacket (WmiExec, Atexec), Cobalt Strike, Pillager, Checkout, Mimikatz, RawCopy |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
