SAS 2021: Learning to ChaCha with APT41

2021-10-12T16:00:34
ID SECURELIST:624E1F6BE0777545E170F4528D724691
Type securelist
Reporter Securelist
Modified 2021-10-12T16:00:34

Description

Straight from the sunny UK to the stage of SAS-at-Home 2021, John Southworth (PwC) will be giving some insights about the threat actor APT41, also known as Red Kelpie and Winnti. Starting with APT10 (Red Apollo), the presentation will dance you through the malware used by APT41 – the Motnug loader and its descendant, the ChaCha loader, to some thoughts on the actor's attribution and the payload, including the infamous CobaltStrike.

Indicators of compromise, YARA rules, and Python scripts for the Kaspersky TheSAS2021 talk "Learning to ChaCha with APT41": <https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie>