Straight from the sunny UK to the stage of SAS-at-Home 2021, John Southworth (PwC) will be giving some insights about the threat actor APT41, also known as Red Kelpie and Winnti. Starting with APT10 (Red Apollo), the presentation will dance you through the malware used by APT41 – the Motnug loader and its descendant, the ChaCha loader, to some thoughts on the actor’s attribution and the payload, including the infamous CobaltStrike.
Indicators of compromise, YARA rules, and Python scripts for the Kaspersky TheSAS2021 talk “Learning to ChaCha with APT41“: https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie
