Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China-Linked Group Uses New Malware in Japan Attacks

A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.

A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.

The group is known as menuPass, Stone Panda and APT10, and it has been active since at least 2009. The actor initially targeted defense contractors in the United States and elsewhere, and since 2014 it has also attacked organizations in Japan.

menuPass is known for using PlugX and PoisonIvy, which have been observed in campaigns launched by several actors. However, a recent menuPass operation, which took place between September and November 2016, involved a new Trojan, dubbed ChChes, that is unique to this group.

The recent operation targeted Japanese academics working in various scientific fields, a Japanese pharmaceutical company, and a US-based subsidiary of a Japanese manufacturing firm. The attacks started with spear-phishing emails that came from spoofed addresses, including of the Sasakawa Peace Foundation and the White House.

One clue that linked ChChes to other tools used by menuPass was a shared import hash. However, experts also discovered connections in the infrastructure used in the recent and older attacks.

ChChes was disguised as a Word document and it was signed using a certificate from Italian spyware maker Hacking Team. The certificate was leaked when the company was hacked in July 2015, but it had been revoked long before the latest menuPass attacks. Researchers believe attackers may have used it in an effort to make attribution more difficult.

In addition to collecting information about the infected system, ChChes has modules that help it encrypt communications, execute shell commands, upload and download files, and load and execute DLLs, according to an analysis conducted by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC).

Palo Alto Networks believes ChChes is only used to download other malware onto infected computers, especially since it does not have a persistence mechanism.

Advertisement. Scroll to continue reading.

“In a successful intrusion, it may be only a first stage tool used by the attackers to orient where they landed in a network, and other malware will be deployed as a second stage layering for persistence and additional access as the attackers move laterally through a network,” researchers said in a blog post.

Related: Japan Targeted in “Blackgear” Espionage Campaign

Related: 18 Million Stolen Credentials Found in Japan

Related: “Dust Storm” Attackers Target Japanese Critical Infrastructure

Related: Blue Termite APT Targets Japanese Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.