Operations of the Chinese state-sponsored threat group APT41, also known as Barium, Earth Baku, Wicked Spider, and Wicked Panda, have been strengthened with the inclusion of the updated StealthVector malware loader variant dubbed "DodgeBox" in its arsenal to facilitate the deployment of the novel MoonWalk backdoor, reports The Register.
Despite having similarly comprehensive features as StealthVector, which had been commonly used by APT41 in attacks against Southeast Asia, DodgeBox has been significantly enhanced with AES Cypher Feedback-based configuration encryption and call stack spoofing to bypass detection, according to a report from Zscaler ThreatLabz. Additional obfuscation techniques, including environmental checks and salted FNV1a hash utilization for DLL scanning, have also been leveraged by DodgeBox before distributing a DAT file with the MoonWalk payload. "What sets DodgeBox apart from other malware is its unique algorithms and techniques," said researchers, who will also be providing more information regarding the nascent MoonWalk backdoor in a separate report.