AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

KeyPlug backdoor identified: alarm for Italian industries

Tinexta Cyber reveals the technical details of the dangerous KeyPlug backdoor and its implications for the security of Italian businesses

Tinexta Cyber discovered the KeyPlug backdoor, attributed to China's APT41 group, which infected Italian companies. KeyPlug affects both Windows and Linux. A connection with the I-Soon data leak is suspected. It is crucial to strengthen industrial security against these threats.

This pill is also available in Italian language

In an in-depth investigation, Tinexta Cyber discovered the presence of a backdoor called KeyPlug that infected several Italian companies for months. Attributed to China's APT41 group, known for its complex cyber operations, this threat aims to both gather sensitive information and achieve economic gain. The APT41 group, also known by numerous aliases such as WICKED PANDA and HOODOO, is renowned in the cybersecurity community for its ability to attack across various industrial sectors. Analyzes revealed worrying technical details regarding KeyPlug's resilience against advanced defense systems such as Firewall, NIDS and EDR, demonstrating the sophistication of the attacks carried out by this group.

Technical details of the backdoor on Windows and Linux

The Tinexta Cyber team analyzed KeyPlug variants for both Microsoft Windows and Linux. For Windows, the infection begins with a loader component written in .NET that decrypts an AES-encrypted file. The resulting payload, identified with the SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf , shows direct similarity to some malicious structures documented by Mandiant. The Linux variant uses VMProtect, further complicating the analysis. During static analysis, references to UPX were found, but automatic decompression routines were unsuccessful, forcing analysts to decode the payload manually through more complex analysis of the malware's configuration.

Possible connections with the I-Soon leak

Another point of interest that emerged from the investigation is a possible connection between APT41 and the Chinese company I-Soon, involved in a massive data leak from the Chinese Ministry of Public Security. Confidential information, including government plans and employee personal data, was published on GitHub and Twitter, causing great concern. This incident revealed potential new weapons in APT41's repertoire, such as Hector, a possible Remote Administration Tool, or a variant of KeyPlug itself. Hector uses the WSS protocol to communicate, an unusual choice among malware but which strengthens the hypothesis of APT41's involvement, as also suggested by Recorded Future.

Conclusions and implications for industrial safety

In conclusion, the hypothesis of a connection between APT41 and the events concerning ISOON appears plausible, underlining the serious risks of industrial espionage. Luigi Martire, CERT Technical Leader at Tinexta Cyber, says that APT41 stands out for the sophistication of its global cyber espionage operations, with tools such as KeyPlug, which allows sustained intrusion into target systems. Companies operating in strategic sectors are particularly vulnerable to such attacks, with possible serious economic and reputational consequences. Analyzing the ISOON data leak further could provide further clarity on the involvement of the APT41 group, confirming the need to strengthen our cyber defenses to protect critical information.

Follow us on WhatsApp for more pills like this

06/03/2024 16:29

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon