US security company FireEye released a research report on the Chinese hacker organization APT41, saying that APT41 has a wide range of attacks which target the video game industry. In addition to using existing tools, APT41 also has its own unique tools. “APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware. The group has abused at least 19 different certificates in this way. Additional details on code-signing certificates are provided in the section “Use of Code Signing Certificates.” FireEye also identified two members related to the organization, “Zhang Xuguang” and “Wolfzhi”.
In addition to cyber espionage, APT41 was also found to be engaged in profitable activities: attacking game companies, manipulating virtual currency, and even attempting to deploy ransomware.
APT41 moves within the gaming company’s network find production environments, steals source code and digital certificates, and then uses digital certificates to sign malicious programs. By accessing the production environment, APT41 also injects malicious code into legitimate files, spreads within the victim organization, and launches supply chain attacks.
According to the hacker’s activity time, FireEye believes that most of the APT41 members such as Zhang are night owls who are active in the early hours of the morning.