Welcome to the VB2021 conference!

Evolution after prosecution: Psychedelic APT41

Aragorn Tseng (TeamT5), Charles Li (TeamT5), Peter Syu (TeamT5) & Tom Lai (TeamT5)
partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

Since APT41 was sued by the FBI last year, the group has not disappeared. Instead, they have used more innovative and less well noticed techniques to evade detection by security products, such as:


  • Avoiding memory detection through dll hollowing technique and one miscellaneous method.

  • Using DPAPI to encrypt the real payload to make forensics more difficult.

  • Abusing the certificate to hide the payload in a signed PE file.

  • Using Cloudflare Worker to hide the real IP address.

  • Using legitimate tools like InstallUtil to execute code and bypass application whitelisting.


In addition to malware that is known to be used by APT41, we also found some newly developed malware. There are two new pieces of listening port malware, RBRAT and a Stone variant. We also found a shellcode-based backdoor, DNHash, and the method it used to call the Windows API was also innovative, making the reversing more difficult.
The group is also more careful in their usage of C2. They use DNS tunnelling extensively as well as Cloudflare Worker to hide their real C2 IP.

We have observed that APT41 targeted telecommunications companies, key medical institutions, governments, and major infrastructures in various countries in 2021.
The prosecution did not deter them, but instead prompted them to evolve their attack techniques, and make it harder for researchers to track and detect.

In this talk we will provide more details about the campaigns of APT41, including its innovative TTPs, newly developed malware, lateral movement techniques, and the strategies they used for C2 after they were sued by the FBI. We will also propose some methods to prevent their latest attack techniques.

Got a question about this presentation? To get in touch with the speakers, contact Aragorn Tseng on Twitter at @Aragorn32328247.
Aragorn Tseng
TeamT5

Aragorn is a malware researcher at TeamT5. He has worked on incident response and tracking APT campaigns in Taiwan's law enforcement agencies for two years. His research fields include malware analysis, incident response, APT campaign tracking and applying deep learning to cybersecurity issues. He has spoken at conferences including Black Hat Asia, CodeBlue, HITCON and JSAC.

Charles Li
TeamT5

Charles is the Chief Analyst at TeamT5. He leads the TeamT5 analyst team in threat intelligence research. He has been studying cyber attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences.

Peter Syu
TeamT5

Peter is a security researcher at TeamT5. Peter's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.

Tom Lai
TeamT5

Tom is a security engineer at TeamT5. Tom's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.