The objective of this comprehensive study is to emphasize the growing significance of online security especially considering the rising threat of cyber-attacks. As more businesses shift their operations online, it’s paramount to know how to fix a hacked WordPress website and understand the procedures involved in conducting a WordPress security audit. Whether you are running a blog or an e-commerce platform, expertise in how to clean a WordPress virus is becoming an essential skill set.

There has been a resurgence of the China-affiliated advanced persistent threat (APT) group codenamed APT41, which appears to be utilizing a newer, highly sophisticated version of a pre-existing malware identified as StealthVector. This upgraded malware has reportedly been named DodgeBox by the cybersecurity enthusiasts at Zscaler ThreatLabz.

The revamped variant of StealthVector, now named as DodgeBox, plays an instrumental role as it loads a novel backdoor, referred to as MoonWalk.

This new backdoor, MoonWalk, shares several evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.

Investigations reveal that APT41 has been active since 2007 and is associated with China’s state-sponsored cyber activities. The community has given it various names including Blackfly, Wicked Panda and Winnti.

In 2020, the U.S. Department of Justice (DoJ) indicted several cyber actors linked with this group for allegedly perpetrating intrusion campaigns across more than 100 global companies. The intrusions reportedly resulted in the theft of substantial business information including software code
signing certificates, customer account data, and source code.

The thefts allegedly facilitated other criminal activities including ransomware and crypto-jacking schemes.

Recent years have seen the group being associated with breaches of U.S. state government networks and attacks on Taiwanese media organizations.

At this juncture, understanding the role of DodgeBox becomes pivotal. DodgeBox has been perceived as a more developed version of StealthVector. It strategically incorporates various techniques, like call stack spoofing, DLL side-loading, and DLL hollowing, to successfully escape detection.

It is assessed that APT41 leverages DLL side-loading as a method to execute DodgeBox. They utilize a genuine executable, taskhost.exe, to sideload a malicious DLL, sbiedll.dll.

In simple terms, the malicious DLL, which is dubbed as DodgeBox, is a DLL loader that acts as a medium to decrypt and launch a secondary payload, the MoonWalk backdoor.

DodgeBox, the newly identified malware loader, employs multiple techniques to evade both static and behavioral detection. It offers various capabilities including decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures.

Safeguarding online space is a shared responsibility that affects everyone alike. We urge the reader to stay updated about these issues, increasing your capability to detect and potentially prevent them in the future.

Need security services for your WordPress site? DrGlenn is your go-to expert for protection and recovery. Contact me now!.