KeyPlug backdoor identified: alarm for Italian industries

In an in-depth investigation, Tinexta Cyber discovered the presence of a backdoor called KeyPlug that infected several Italian companies for months. Attributed to China's APT41 group, known for its complex cyber operations, this threat aims to both gather sensitive information and achieve economic gain. The APT41 group, also known by numerous aliases such as WICKED PANDA and HOODOO, is renowned in the cybersecurity community for its ability to attack across various industrial sectors. Analyzes revealed worrying technical details regarding KeyPlug's resilience against advanced defense systems such as Firewall, NIDS and EDR, demonstrating the sophistication of the attacks carried out by this group.

Technical details of the backdoor on Windows and Linux

The Tinexta Cyber team analyzed KeyPlug variants for both Microsoft Windows and Linux. For Windows, the infection begins with a loader component written in .NET that decrypts an AES-encrypted file. The resulting payload, identified with the SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf , shows direct similarity to some malicious structures documented by Mandiant. The Linux variant uses VMProtect, further complicating the analysis. During static analysis, references to UPX were found, but automatic decompression routines were unsuccessful, forcing analysts to decode the payload manually through more complex analysis of the malware's configuration.

Possible connections with the I-Soon leak

Another point of interest that emerged from the investigation is a possible connection between APT41 and the Chinese company I-Soon, involved in a massive data leak from the Chinese Ministry of Public Security. Confidential information, including government plans and employee personal data, was published on GitHub and Twitter, causing great concern. This incident revealed potential new weapons in APT41's repertoire, such as Hector, a possible Remote Administration Tool, or a variant of KeyPlug itself. Hector uses the WSS protocol to communicate, an unusual choice among malware but which strengthens the hypothesis of APT41's involvement, as also suggested by Recorded Future.

Conclusions and implications for industrial safety

In conclusion, the hypothesis of a connection between APT41 and the events concerning ISOON appears plausible, underlining the serious risks of industrial espionage. Luigi Martire, CERT Technical Leader at Tinexta Cyber, says that APT41 stands out for the sophistication of its global cyber espionage operations, with tools such as KeyPlug, which allows sustained intrusion into target systems. Companies operating in strategic sectors are particularly vulnerable to such attacks, with possible serious economic and reputational consequences. Analyzing the ISOON data leak further could provide further clarity on the involvement of the APT41 group, confirming the need to strengthen our cyber defenses to protect critical information.