Security News > 2024 > July > Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk
2024-07-11 12:31

The China-linked advanced persistent threat group codenamed APT41 is suspected to be using an "Advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk.

The new variant of StealthVector - which is also referred to as DUSTPAN - has been codenamed DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024.

DodgeBox is assessed to be an improved version of StealthVector, while also incorporating various techniques like call stack spoofing, DLL side-loading, and DLL hollowing to evade detection.

The rogue DLL is a DLL loader written in C that acts as a conduit to decrypt and launch a second-stage payload, the MoonWalk backdoor.

The attribution of DodgeBox to APT41 stems from the similarities between DodgeBox and StealthVector; the use of DLL side-loading, a technique widely used by China-nexus groups to deliver malware such as PlugX; and the fact that DodgeBox samples have been submitted to VirusTotal from Thailand and Taiwan.

"DodgeBox is a newly identified malware loader that employs multiple techniques to evade both static and behavioral detection," the researchers said.


News URL

https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html