APT31 SoWaT Route Implant

Industry: N/A | Level: Strategic | Source: imp0rtp3

Infosec blog, imp0rtp3, shared research that Chinese threat actor group, APT31/Zirconium, has been using multifunctional router implant, SoWaT (dubbed from the use of the custom file swt). The implant can function as a client or as a server using TLS for communication. SoWat allocates data and waits for 16 possible commands, one of which keeps an hourly count of successful connections to the implant in the a 24 hour period, and if no connection is accessed a separate function killswitch deletes artifacts left by the malware, deleting working directories and revert any open ports. The research also attempted to shed light on the usage of Operational Relay Boxes (ORBs) in APT31's network operations specifically hacked routers.