APT41 proceeded to pilfer privileged account credentials to elevate privileges and move laterally across the network.
Chinese state-backed hacking operation APT41 has compromised Africa's government IT services infrastructure in a new cyberespionage campaign.
Analysis from Kaspersky found that after temporarily halting malicious activity following the execution of the Impacket, Atexec, and WmiExec modules on several workstations, APT41 proceeded to pilfer privileged account credentials to elevate privileges and move laterally across the network before launching Cobalt Strike for command-and-control communications.
Reported by
The Hacker News, aside from also using Microsoft SharePoint servers for C2, APT41 also harnessed the information-stealing payloads Pillager, Checkout, RawCopy, and Mimikatz for credential theft, credit card data pilfering, raw registry file copying, and account credential dumping activities, respectively.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
