Organizations in the gambling and gaming industry have been subjected to an advanced multi-stage cyberattack by Chinese state-sponsored threat operation APT41, also known as Earth Baku, Brass Typhoon, Winnti, and Wicked Panda, since earlier this year, reports The Hacker News.
Spear-phishing emails may have been leveraged by APT41 to infiltrate targeted network infrastructure, which would then be deployed with a DCSync attack that enables password hash exfiltration, a report from Security Joes showed. APT41 would exploit obtained credentials to allow post-exploitation and reconnaissance efforts, including phantom DLL hijacking and further malware execution through a socket connection. After weeks of inactivity, attackers resumed to launch an obfuscated JavaScript code that functions as a loader for a succeeding machine-fingerprinting payload targeted at devices with the '10.20.22' substring within their IP addresses. "This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22[0-9].[0-255]. By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected," researchers added.