The Dark Knight Returns: Joker malware analysis

Oct. 3, 2024, 3:21 p.m.

Description

The report details sophisticated command and control (C2) techniques employed by the APT41 threat group. APT41 uses custom malware and legitimate tools to maintain persistent access to compromised networks while evading detection. Key techniques include DNS tunneling, domain fronting, and steganography to hide C2 traffic. The group also leverages cloud services and social media platforms as C2 channels. APT41 continually evolves their tactics to bypass security controls, making attribution and detection challenging. The report provides technical details on APT41's C2 infrastructure and recommendations for defending against their techniques.

External References

https://cert.pl/en/posts/2024/10/analiza-joker/
https://otx.alienvault.com/pulse/66fead885f5b49b1eb71d47f
Tags
evasion
steganography
dns tunneling
social media
2024-10-03
command and control
apt41
cloud services
domain fronting

Date

  • Created: Oct. 3, 2024, 2:43 p.m.
  • Published: Oct. 3, 2024, 2:43 p.m.
  • Modified: Oct. 3, 2024, 3:21 p.m.

Indicators

  • 77c33a576601f466d7d8cc261e8ca4a2fdc490175b4cc82eec40a640a57b29d3
  • https://epayment.teleaudio.pl/api2/typeundef_
  • https://epayment.teleaudio.pl/api2/ta/direct/status/
  • https://epayment.teleaudio.pl/api2/ta/direct/confirm
  • http://kamisatu.top/setting/scenery
  • window.jbridge.call
  • epayment.teleaudio.pl
  • kamisatu.top
Download all indicators here!

Attack Patterns

  • APT41