APT10 is back with two new loaders and new versions of known payloads

The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia.

In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia.

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

In September 2018, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The recent attacks were uncovered by experts at enSilo, they also noticed that the APT group used modified versions of known malware.

“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group.” reads the analysis published by enSilo. “Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10.”

The two loaders deliver different payloads to the victims and both variants drop the following files beforehand:

• jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.
• jli.dll – malicious DLL
• msvcrt100.dll – legitimate Microsoft C Runtime DLL
• svchost.bin – binary file

Both variants served several final payloads, including the PlugX and Quasar remote access trojan (RAT).

The loaders implement DLL Side-Loading, this means it starts by running a legitimate executable which is abused to load a malicious DLL.

Both loaders use the jli.dll library that maps a data file, svchost.bin, to memory and decrypts it to retrieve a shellcode that is injected into svchost.exe and contains the actual malicious payload.

The two loaders differ in the way they ensure persistence, the first uses a service as its persistence method, while the second variant leverages the Run registry key for the current user under the name “Windows Updata” . 

“It goes a long way to completely remove any sign of McAfee’s email proxy service from the infected machine,” Hunter said. “Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript the dropper runs.”

Experts noticed that the payloads used by the attackers in the last campaigns are still on a development phase.

“Both variants of the loader implement the same decryption and injection mechanism.” concludes the experts.

Further technical details, including IoCs, are reported in the analysis published by inSile.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT10, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]