APT41 is described by FireEye as a Chinese state-sponsored group involved in espionage and attacks that financially benefit the group. FireEye has published a report looking at some of the malware used by the group, LOWKEY and DEADEYE. The first malware family analyzed is three variants of DEADEYE, which use RC5 encryption that FireEye note is unusual in malware they typically analyze. DEADEYE also features an additional RC4 layer. Two variants of LOWKEY were also identified, one that uses a listener on TCP port 53, the other that listens on TCP port 80 (HTTP) and intercepts URLs containing commands. LOWKEY has been used in tightly targeted attacks and utilizes system specific payloads.
Exposure of sensitive information