Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

APT41 Cyberespionage Campaign Hits Indo-Pacific

Trend Micro: Firms Targeted in India, Indonesia, Malaysia, the Philippines, Taiwan, Vietnam
APT41 Cyberespionage Campaign Hits Indo-Pacific
Countries affected by new campaign (Source: Trend Micro)

Researchers at cybersecurity company Trend Micro have uncovered a new cyberespionage campaign in the Indo-Pacific region by Chinese advanced persistent threat group APT41, also known as Earth Baku.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

Among the targets are companies in the airlines, computer hardware, automotive, infrastructure, publishing, media and IT industries in India, Indonesia, Malaysia, the Philippines, Taiwan and Vietnam, Trend Micro says.

The APT group is using different attack vectors depending on the infrastructure of its targeted victim's environment, the researchers say. Those vectors include SQL injection to upload a malicious file, installing malware through InstallUtil.exe in a scheduled task, sending a malicious link file in an email attachment and exploiting the ProxyLogon vulnerability, CVE-2021-26855, to upload a China Chopper web shell, the researchers say.

The campaign uses previously unidentified shellcode loaders, dubbed StealthVector and StealthMutant, as well as a backdoor named ScrambleCross, Trend Micro reports.


First observed in October 2020, the StealthVector shellcode loader, written in C/C++, is designed with configurable features that allow malicious actors to tailor it to their needs, the researchers say.

It also offers a feature that disables Event Tracing for Windows, a kernel-level tracing facility, allowing the malware to run in stealth mode, they say. The loader can stealthily run its payload in various ways, such as using the CreateThread function, bypassing Microsoft’s Control Flow Guard or using module stomping or phantom dynamic link library hollowing.


The StealthMutant loader, which supports both 32-bit and 64-bit operating systems, can also disable Event Tracing for Windows. This loader, written in C#, has been used by malicious actors since July 2020, the researchers say.

"Many of the StealthMutant samples we have analyzed use AES-256-ECB for decryption; alternatively, an earlier variant of the loader uses XOR. After its payload is decrypted, StealthMutant performs process hollowing to execute its payload in a remote process," according to the Trend Micro researchers.


Both StealthMutant and StealthVector contain a payload of either the Cobalt Strike beacon or ScrambleCross, a newly discovered backdoor, the researchers report.

ScrambleCross receives instructions from its command-and-control server that allow it to receive and manipulate plug-ins.

"However, we have yet to retrieve and study one of these plug-ins. It has many of the same capabilities as another backdoor, Crosswalk, which has also been used by Earth Baku," Trend Micro says.

"Both calculate the hash of the code section as an anti-bugging technique, both are designed as fully position-independent code, and both support various kinds of network communication protocols."

Ties to Earlier Campaign

This new campaign is tied to one of Earth Baku’s earlier cyberespionage campaigns, which the group is perpetrating under the alias APT41, the researchers say.

"This older campaign has been ongoing since November 2018 and uses a different shellcode loader, which we have named LavagokLdr, but these two campaigns are alike in many ways," they say.

Self-developing Toolset

The analysis of StealthMutant, StealthVector, and ScrambleCross demonstrates that Earth Baku/APT41 has improved its malware tools since its last campaign, the researchers say.

The APT group, the researchers note, is known for its use of self-developed tools.

"It appears to be filling its ranks with malicious actors who are pooling their diverse skills," according to the Trend Micro report. "The new malware tools involved in Earth Baku’s new campaign indicates that the APT group has likely recruited members who specialize in low-level programming, software development and red-team techniques."

The threat group, researchers say, has designed the sophisticated new tools to be easily modified and to avoid detection more efficiently when infiltrating a targeted network.

Benjamin Read, director of analysis at Mandiant Threat Intelligence, FireEye, notes that although the group has added new features and tactics, the fundamentals remain unchanged. "The intrusion vectors highlighted by Trend Micro are similar to what one would have seen five years ago, but they continue to be used because they work,” he says.

Mitigation and Prevention

To avoid falling victim to this group, Trend Micro advises companies to follow the principle of "least privilege" by limiting access to sensitive data and monitoring user permissions; enforce strict patch management policies and practice virtual patching to secure any legacy systems for which patches are not yet available; and enforce the 3-2-1 rule of storing at least three copies of corporate data in two different formats, with one air-gapped copy located off-site.

Brian Honan, a Dublin-based cybersecurity expert, says organizations must keep their focus on the techniques this APT group - and many others - use, including the injection of an SQL script into the system’s Microsoft SQL Server to upload a malicious file and the exploitation of the Microsoft Exchange Server ProxyLogon.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.