APT41 Using New Speculoos Backdoor to Target Organizations Globally

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to have operated between January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus data available to Unit 42, we were able to obtain samples of the payload targeting Citrix appliances, which were executables compiled to run on FreeBSD. We also used this data to identify multiple victims in industries such as healthcare, higher education, manufacturing, government and technology services in multiple regions around the world, such as North America, South America, and Europe.

This blog will be specific to the FreeBSD-based payload that we have named Speculoos. We identified a total of five samples from our dataset, all of which were approximately the same file size, but contain minute differences amongst the sample set. The subtle differences indicate that they likely originated from the same developer and were either recompiled or patched.
JN5Cn9DF_o.png

IOCs
Code:
Analyzed Speculoos SHA256

99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28

6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167

Additional Speculoos SHA256

493574e9b1cc618b1a967ba9dabec474bb239777a3d81c11e49e7bb9c71c0c4e

85297097f6dbe8a52974a43016425d4adaa61f3bdb5fcdd186bfda2255d56b3d

c2a88cc3418b488d212b36172b089b0d329fa6e4a094583b757fdd3c5398efe1

Network Indicators

119.28.139[.]20

alibaba.zzux[.]com

119.28.139[.]120

66.42.98[.]220

exchange.longmusic[.]com
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top