AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

KeyPlug backdoor identified: alarm for Italian industries

Tinexta Cyber reveals the technical details of the dangerous KeyPlug backdoor and its implications for the security of Italian businesses

Tinexta Cyber discovered the KeyPlug backdoor, attributed to China's APT41 group, which infected Italian companies. KeyPlug affects both Windows and Linux. A connection with the I-Soon data leak is suspected. It is crucial to strengthen industrial security against these threats.

This pill is also available in Italian language

In an in-depth investigation, Tinexta Cyber discovered the presence of a backdoor called KeyPlug that infected several Italian companies for months. Attributed to China's APT41 group, known for its complex cyber operations, this threat aims to both gather sensitive information and achieve economic gain. The APT41 group, also known by numerous aliases such as WICKED PANDA and HOODOO, is renowned in the cybersecurity community for its ability to attack across various industrial sectors. Analyzes revealed worrying technical details regarding KeyPlug's resilience against advanced defense systems such as Firewall, NIDS and EDR, demonstrating the sophistication of the attacks carried out by this group.

Technical details of the backdoor on Windows and Linux

The Tinexta Cyber team analyzed KeyPlug variants for both Microsoft Windows and Linux. For Windows, the infection begins with a loader component written in .NET that decrypts an AES-encrypted file. The resulting payload, identified with the SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf , shows direct similarity to some malicious structures documented by Mandiant. The Linux variant uses VMProtect, further complicating the analysis. During static analysis, references to UPX were found, but automatic decompression routines were unsuccessful, forcing analysts to decode the payload manually through more complex analysis of the malware's configuration.

Possible connections with the I-Soon leak

Another point of interest that emerged from the investigation is a possible connection between APT41 and the Chinese company I-Soon, involved in a massive data leak from the Chinese Ministry of Public Security. Confidential information, including government plans and employee personal data, was published on GitHub and Twitter, causing great concern. This incident revealed potential new weapons in APT41's repertoire, such as Hector, a possible Remote Administration Tool, or a variant of KeyPlug itself. Hector uses the WSS protocol to communicate, an unusual choice among malware but which strengthens the hypothesis of APT41's involvement, as also suggested by Recorded Future.

Conclusions and implications for industrial safety

In conclusion, the hypothesis of a connection between APT41 and the events concerning ISOON appears plausible, underlining the serious risks of industrial espionage. Luigi Martire, CERT Technical Leader at Tinexta Cyber, says that APT41 stands out for the sophistication of its global cyber espionage operations, with tools such as KeyPlug, which allows sustained intrusion into target systems. Companies operating in strategic sectors are particularly vulnerable to such attacks, with possible serious economic and reputational consequences. Analyzing the ISOON data leak further could provide further clarity on the involvement of the APT41 group, confirming the need to strengthen our cyber defenses to protect critical information.

Follow us on Telegram for more pills like this

06/03/2024 16:29

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Discovery of an AiTM attack campaign on Microsoft 365A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises