Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China-Linked Group Uses New Malware in Japan Attacks

A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.

A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.

The group is known as menuPass, Stone Panda and APT10, and it has been active since at least 2009. The actor initially targeted defense contractors in the United States and elsewhere, and since 2014 it has also attacked organizations in Japan.

menuPass is known for using PlugX and PoisonIvy, which have been observed in campaigns launched by several actors. However, a recent menuPass operation, which took place between September and November 2016, involved a new Trojan, dubbed ChChes, that is unique to this group.

The recent operation targeted Japanese academics working in various scientific fields, a Japanese pharmaceutical company, and a US-based subsidiary of a Japanese manufacturing firm. The attacks started with spear-phishing emails that came from spoofed addresses, including of the Sasakawa Peace Foundation and the White House.

One clue that linked ChChes to other tools used by menuPass was a shared import hash. However, experts also discovered connections in the infrastructure used in the recent and older attacks.

ChChes was disguised as a Word document and it was signed using a certificate from Italian spyware maker Hacking Team. The certificate was leaked when the company was hacked in July 2015, but it had been revoked long before the latest menuPass attacks. Researchers believe attackers may have used it in an effort to make attribution more difficult.

In addition to collecting information about the infected system, ChChes has modules that help it encrypt communications, execute shell commands, upload and download files, and load and execute DLLs, according to an analysis conducted by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC).

Palo Alto Networks believes ChChes is only used to download other malware onto infected computers, especially since it does not have a persistence mechanism.

Advertisement. Scroll to continue reading.

“In a successful intrusion, it may be only a first stage tool used by the attackers to orient where they landed in a network, and other malware will be deployed as a second stage layering for persistence and additional access as the attackers move laterally through a network,” researchers said in a blog post.

Related: Japan Targeted in “Blackgear” Espionage Campaign

Related: 18 Million Stolen Credentials Found in Japan

Related: “Dust Storm” Attackers Target Japanese Critical Infrastructure

Related: Blue Termite APT Targets Japanese Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...