ThreatMon Revealed APT41’s Stealthy PowerShell Backdoor

APT41, a Chinese cyber espionage group active since 2012, is known for its advanced tactics, techniques, and procedures (TTPs), including the use of custom-built malware and tools. The group is notorious for high-profile attacks such as the 2017 Equifax data breach and stealing intellectual property, personally identifiable information, and financial data. One of APT41’s tools is a stealthy and persistent PowerShell backdoor that bypasses traditional security measures and allows the group to execute commands, download and upload files, and gather sensitive information from compromised systems. Recently, researchers from ThreatMon revealed this PowerShell backdoor.

The APT41’s PowerShell backdoor capitalizes on the scripting language’s built-in functionality in Microsoft Windows. It is often used as a second-stage payload in targeted attacks, and its presence on a system highlights the need for organizations to implement robust security measures to defend against advanced threats.

APT41's backdoor

APT41’s modus operandi involves the use of mutexes to prevent reinfection and “living-off-the-land binaries” (LOLbins) to bypass traditional security measures. The group uses legitimate system tools, such as Forfiles, to carry out malicious activities, including executing malware, stealing data, and taking control of compromised systems.

The backdoor begins by locating its payloads in the Windows Registry, one at a time. It uses the LOLbin “forfiles.exe” and the registry key HKCU\Environment\UserInitMprLogonScript for persistence, allowing the command to execute automatically upon system login. The backdoor stores Telegram communication credentials in the registry and writes the obfuscated PowerShell payload using another LOLbin, “SyncAppPublishingServer.vbs”.

To maintain its presence on a compromised system, the backdoor writes Internet Explorer to the registry, ensuring the browser opens automatically when the system starts. The final payload is a non-traditional PowerShell backdoor capable of infecting removable devices and using Telegram for C2 (command and control) server communication. It sends system information and IP addresses (using ip-api) to the C2 server and continually loops, awaiting further commands.

APT41’s sophisticated PowerShell backdoor highlights the group’s advanced techniques and the need for organizations to implement strong security measures to defend against such threats. By using LOLbins and custom malware, APT41 bypasses traditional security measures, making detection and prevention more challenging. Organizations must be proactive in updating their security practices to stay ahead of these evolving cyber espionage tactics.