Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New APT10 Activity Detected in Southeast Asia

Researchers have detected what they believe to be new activity from Chinese cyber espionage group, APT10. The activity surfaced in the Philippines and shares similar tactics, techniques, and procedures (TTPs) and code associated with APT10.

Researchers have detected what they believe to be new activity from Chinese cyber espionage group, APT10. The activity surfaced in the Philippines and shares similar tactics, techniques, and procedures (TTPs) and code associated with APT10.

APT10 is the group behind Operation Cloud Hopper analyzed by PwC UK and BAE Systems in 2017. In December 2018, all five nations in the Five Eyes electronic surveillance alliance (USA, Canada, UK, Australia and New Zealand) officially pinned Cloud Hopper to APT10, and APT10 to the Chinese government.

The U.S. went so far as to indict two Chinese nationals, Zhu Hua and Zhang Shilong. Both are alleged to be associated with the Chinese Ministry of State Securityís Tianjin State Security Bureau.

The new activity was detected by enSilo in late April 2019. Samples with two slightly different loaders were found, delivering different ultimate payloads, but both first delivering jjs.exe (a legitimate executable), jli.dll (a malicious DLL), msvcrt100.dll (a legitimate Microsoft C Runtime DLL), and svchost.bin (a binary file). jjs.exe is an implementation of a JavaScript engine, part of Oracle’s Java platform, but used in these cases as a loader for the malware.

The two malware payloads discovered are PlugX and a modified Quasar RAT. PlugX is thought to be APT10 proprietary malware, and has been used by the group for several years. It is modular in design with numerous plug-ins available — such as communication compression and encryption, network enumeration, files interaction, remote shell operations and more. The new Quasar RAT version includes SharpSploit and its built-in Mimikatz capabilities to extract passwords.

The basic loading process is for jjs.exe to side-load the malicious jli.dll. The latter maps the binary svchost.bin to memory and decrypts it as a shellcode containing the malicious payload. This is injected into svchost.exe.

The first loader version uses a service for its persistency. It installs itself, jjs.exe, as the service, and starts it. The decryption and injection are performed in this context.

The second loader variant uses the Run registry key for the current user under the name ‘Windows Updata’. Both loaders communicate with typical APT10 domains that look confusingly like genuine tech industry domains: one using DNS over TCP to update[.]microsofts[.]org, and the using HTTPS to update[.]kaspresksy[.]com.

Advertisement. Scroll to continue reading.

Where the malware is PlugX, and following the injection of the shellcode, the shellcode decrypts another part of itself to unpack the PlugX DLL. Like other versions, the malware collects information such as the computer name, username, OS version, RAM usage, network interfaces and resources. It generates noise around the allocation and release of memory with dummy calls to the GetForegroundWindow API function.

This variant of PlugX is similar to the one known as Paranoid PlugX, which targeted the video game industry in 2017. It attempts to completely remove any sign of McAfee’s email proxy service, recursively deleting any related registry keys, files and directories. The same behavior occurred in the Paranoid version.

Where the malware is the modified Quasar RAT, the injected shellcode downloads conhost.exe — which is another simple downloader that fetches and executes the RAT.

While examining the network infrastructure overlaps between these two malware samples, enSilo found a password-protected zip named ‘chrome_updata‘ associated with the kaspresksy[.]com domain, and containing a sample of the Poison Ivy RAT. Poison Ivy is another malware associated with APT10. It was used in a campaign against individuals in the Mongolian government in 2017.

The similarities in malware, methods and domain names makes enSilo confident that this activity stems from APT10. What it doesn’t know is whether it is part of a testing environment, or was a short-lived attack that has already finished. “Either way,” it concludes, “it’s safe to say that the threat actor behind APT10 is still active and we have yet to see the last of the group.”

Related: Chinese Hackers Spy on U.S. Law Firm, Major Norwegian MSP 

Related: Industry Reactions to U.S. Charging APT10 Hackers: Feedback Friday 

Related: China-linked APT10 Hackers Update Attack Techniques 

Related: China-Linked Group Uses New Malware in Japan Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.