Tinexta Cyber’s Zlab Malware Team has recently uncovered a backdoor known as KeyPlug that has been used in attacks against multiple Italian industries. This backdoor has been attributed to the APT41 group, which has origins in China and is known for its complex cyber campaigns targeting various sectors for purposes ranging from data exfiltration to financial gain.
The KeyPlug malware is designed to target both Windows and Linux operating systems, utilizing different communication protocols depending on the configuration of the malware sample. While analyzing both variants for Windows and Linux, Tinexta Cyber’s team found common elements that allow the threat to remain resilient within compromised systems, despite the presence of perimeter defenses such as Firewalls, NIDS, and EDR on every endpoint.
The Windows version of the malware operates as an implant attacking Microsoft operating systems, with an initial infection starting from a loader written in the .NET framework. On the other hand, the Linux version is slightly more complex, using VMProtect and encoding the payload code during execution, making malware analysis more challenging.
A potential link has emerged between the APT41 group and the Chinese company I-Soon, following a data leak incident involving China’s Ministry of Public Security. The leak revealed a significant amount of sensitive data being spread on GitHub and Twitter, leading to speculation about the connection to APT41 and its arsenal of tools including the RAT known as Hector.
Luigi Martire, Technical Leader at Tinexta Cyber, highlighted the risks associated with industrial espionage conducted by groups like APT41, emphasizing the significant economic losses, reputational damage, and compromised national security that can result from such cyber attacks. The detailed technical information and indicators of compromise related to these attacks are included in the report published by Tinexta Cyber.