Threat Research

MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2

ZScaler

MoonWalk is a modular backdoor used by APT41 that leverages Google Drive for C2 and employs Windows Fibers to evade AV/EDR. Part 2 of the MoonWalk deep dive details its evasion techniques, C2 communications, and modular architecture that supports updates. #MoonWalk #APT41 #DodgeBox #GoogleDrive #WindowsFibers

Keypoints

  • APT41, a China-based threat actor, is using a new backdoor named MoonWalk as part of its toolkit.
  • MoonWalk shares evasion techniques with the DodgeBox loader, including DLL hollowing, import resolution, DLL unhooking, and call stack spoofing.
  • The malware uses Google Drive as its C2 channel to blend in with legitimate network traffic.
  • MoonWalk leverages Windows Fibers to evade AV/EDR solutions and complicate analysis.
  • The backdoor is modular, allowing attackers to load embedded plugins (C2 and Utility) and update capabilities for different scenarios.
  • MoonWalk decrypts and loads its configuration, storing OAuth secrets and other data, and can unload the DodgeBox loader to reduce memory footprint and hinder forensics.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – MoonWalk uses AES-CFB to encrypt strings, configurations, and bundled payloads. “MoonWalk uses AES-CFB to encrypt strings, configurations, and bundled payloads.”
  • [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – MoonWalk uses salted FNV1a hashes to dynamically resolve APIs. “MoonWalk uses salted FNV1a hashes to dynamically resolve APIs.”
  • [T1620] Reflective Code Loading – MoonWalk reflectively loads plugin DLLs, utilizing DLL hollowing. “MoonWalk reflectively loads plugin DLLs, utilizing DLL hollowing.”
  • [T1106] Native API – MoonWalk uses Windows Native APIs like NtCreateFile, LdrLoadDll, and NtAllocateVirtualMemory, as opposed to their Win32 counterparts. “MoonWalk uses Windows Native APIs like NtCreateFile, LdrLoadDll, and NtAllocateVirtualMemory.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – MoonWalk utilizes stack spoofing when calling APIs to monitor for security software and scans its own address space for modifications. “MoonWalk utilizes stack spoofing when calling APIs to monitor for security software.” “scans within its own address space to detect any alterations, such as hooks or debugger breakpoints.”
  • [T1102.002] Web Service: Bidirectional Communication – MoonWalk has a C2 plugin that uses an attacker-controlled Google Drive account to implement a C2 channel. “MoonWalk has a C2 plugin that utilizes an attacker-controlled Google Drive account to implement a C2 communication channel.”
  • [T1573] Encrypted Channel – MoonWalk uses a custom network protocol to exchange encrypted C2 messages. “MoonWalk leverages a custom network protocol to exchange encrypted C2 messages.”
  • [T1592] Gather Victim Host Information – MoonWalk collects hardware/software configuration details. “collects information about the hardware and software configuration of the victim’s host.”
  • [T1590] Gather Victim Network Information – MoonWalk collects the IP address of the victim’s host. “collects the IP address of the victim’s host.”

Indicators of Compromise

  • [MD5 Hash] MoonWalk backdoor – 5b1e8455291d99a1724327b9a7fc2616, b69984cbf52b418673bd08279ca845d6, and 2 more hashes (MoonWalk backdoor related to DodgeBox loader with MD5: d72f202c1d684c9a19f075290a60920f).
  • [OAuth Client ID] Google Drive OAuth Client IDs – XXXXXXXXX5917-dudeis843uv3v1lrm1n12jbq9l9a86lq.apps.googleusercontent.com, XXXXXXXXX3108-0pm3bsjc0mto2e1k4kp2u8817lgk3e3v.apps.googleusercontent.com
  • [OAuth Client Secret] Google Drive Client Secrets – XXXXXX8OPdXrMnPIbIvODh4bnYTVtdKJY, XXXXXXBiuo8VPZUH1dBHkv86mC1xFU_Z3
  • [Refresh Token] Google Drive Refresh Tokens – XXXXXXEqC4HrQVCgYIARAAGAkSNwF-L9IrS7n6zr6G_vE7_huP5uJuMT6aMtOnu3WgmTMRiEc5QJaQgVX4gbUV7ltUbFXVmd5KOZM, XXXXXXiYDPmH9cCgYIARAAGAkSNwF-L9IrcM7YiuxWrNuyIfKINyNc_pEVytGNNK750ZyyIm32qH6Wh3dGIBTvdPJ2v92xAohHwWw
  • [Network Traffic] Heartbeat and command polling over Google Drive – PATCH to https://www.googleapis.com/upload/drive/v3/files/[redacted_id] and GET to https://www.googleapis.com/drive/v3/files (uploadType=media&fields=id,name,size,mimeType,modifiedTime; q=[redacted_id] in parents and trashed = false).

Read more: https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2