The cyber espionage group known as APT41, attributed to the Chinese nation-state, has launched a new campaign specifically targeting government IT services within Africa. According to researchers at Kaspersky, the group has utilized hardcoded internal service names and their malware has been embedded with proxy servers and IP addresses to maintain their malicious activities.
APT41 is considered a prolific hacking group, with its activities spanning various sectors in over three dozen countries, notably focusing on telecommunications, energy, educational institutions, and healthcare organizations. Despite Africa being relatively quiet on their radar historically, Kaspersky has indicated that previous observations from other cybersecurity firms suggest a shift in focus to this continent, particularly since late 2022.
Kaspersky initiated an investigation following the detection of suspicious activities on workstations belonging to an undisclosed organization. The attackers managed to execute commands designed to verify the existence of their command-and-control (C2) server within the compromised infrastructure. Notably, a hacked SharePoint server was involved, which facilitated the attackers’ communication with the malware that was deployed.
This campaign not only highlights the sophisticated tactics employed by APT41 but also raises concerns about the blending of traditional malware deployment with advanced methods such as leveraging trusted services like SharePoint for covert operations. As the cyber landscape evolves, both the tools and techniques used by these threat actors continue to adapt, necessitating a proactive approach from cybersecurity teams globally.