Indicators and detection
Despite the use of stealth, the researchers were able to connect the dots with the help of independent research by @Xlab_qax, who attributed the campaign and its lineage to APT41 with high confidence. Indicators shared by the researchers include files and network signatures (domain and ports). They also included a list of MITRE ATT&CK tactics for a broader understanding of the years-long campaign. Breakglass disclosure pointed to a behavior-driven detection approach across layers.
On the network side, defenders should look for unusual outbound SMTP traffic, connections to Alibaba Cloud-lookalike domains, and periodic UDP broadcasts to 255.255.255.255:6006. On the host, they should watch for obfuscated or unknown ELF binaries and unexpected process access to instance metadata endpoints.
And finally, in the cloud, monitoring metadata service queries and anomalous use of role-based credentials, particularly where activity deviates from the instance’s normal behavior, can help, the researchers said.
