Chinese cyberespionage group APT41 conducted a targeted attack against government IT services in Africa. The attackers used various tools including Impacket, Cobalt Strike, and custom malware for lateral movement, privilege escalation, and data exfiltration. They leveraged DLL sideloading techniques and a compromised SharePoint server as a command and control center. The attack involved credential harvesting, use of web shells, and custom stealers to collect sensitive data. Notable TTPs included using hardcoded internal service names and proxy servers in malware, and exploiting a captive SharePoint server for C2 communication. The incident highlights the importance of comprehensive infrastructure monitoring and proper access controls. Author: AlienVault
Related Tags:
Checkout
Pillager
Credential Harvesting
Cobalt Strike – S0154
South Africa
Central African Republic
targeted attack
data exfiltration
DLL Sideloading
Associated Indicators:
4E70B571F4C0CF51DFD31C5ED8CC58CD9CFA4D7F
A198565F40B1D9A60D26E691423793F883A7D888
91D10C25497CADB7249D47AE8EC94766
125B257520D16D759B112399C3CD1466
C149252A0A3B1F5724FD76F704A1E0AF
3021C9BCA4EF3AA672461ECADC4718E6
27F506B198E7F5530C649B6E4860C958
100B463EFF8295BA617D3AD6DF5325C6
9D53A0336ACFB9E4DF11162CCF7383A0