Double Dragon
APT41, a dual espionage and
cyber crime operation
APT41
2
SPECIAL REPORT |
DOUBLE DRAGON: APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION
2
SPECIAL REPORT |
APT40
2
Table of Contents
Overview
..........................................................................................
4
Targeting
..........................................................................................
6
Operations Over Time
................................................................
8
Cyber Espionage Activity
.......................................................
10
Case Study: Healthcare Sector Targeting
..................
12
Financially Motivated Activity
..............................................
14
Case Study: Video Game Industry Targeting
............
17
Third-Party Access
....................................................................
20
History of Supply Chain Compromises
..............................
21
December 2014
....................................................................
22
March 2017
............................................................................
23
July 2017
................................................................................
24
June 2018
...............................................................................
25
July 2018
...............................................................................
26
Overlaps Between Espionage and Financial
Operations
....................................................................................
27
Attribution
....................................................................................
30
Status as Potential Contractors
..........................................
33
Links to Other Known Chinese Espionage
Operators
......................................................................................
34
Certificate Overlap
............................................................
35
Launcher Overlap
..............................................................
36
Code Family Overlap
........................................................
36
Use of Code-Signing Certificates
.......................................
39
Outlook and Implications
.......................................................
41
Technical Annex: Attack Lifecycle
.....................................
42
Initial Compromise
............................................................
43
Establish Foothold
............................................................
44
Escalate Privileges
.............................................................
45
Internal Reconnaissance
.................................................
45
Lateral Movement
..............................................................
46
Maintain Presence
..............................................................
47
Complete Mission
..............................................................
48
Technical Annex: MITRE ATT&CK Mapping
....................
49
Technical Annex: Code-Signing Certificates Used by
APT41
...............................................................................................
51
Technical Annex: Additional Malware Overlaps
...........
52
Background
...........................................................................
52
HIGHNOON
...........................................................................
52
HIGHNOON.BIN and HIGHNOON.LITE
.......................
52
HIGHNOON.LINUX and HIGHNOON
..........................
54
CROSSWALK and CROSSWALK.BIN
.........................
54
Technical Annex: Malware Used by APT41
.....................
60
Technical Annex: APT41 IOCs
..............................................
63
