SYMBOLCOMMON_NAMEaka. SYNONYMS
win.easynight (Back to overview)

EASYNIGHT

Actor(s): APT41


FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.

Examples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case "printwin.dll!gzwrite64" (breaking the file signature).

References
2019-09-04FireEyeFireEye
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2017-03-22Trend MicroCedric Pernet
Winnti Abuses GitHub for C&C Communications
EASYNIGHT APT41

There is no Yara-Signature yet.