The Chinese-language cyber-espionage group known as APT10 has apparently added to its malware bag of tricks, with two never-before-seen malware loader variants used in April campaigns against government and private organizations in Southeast Asia.
Also, the campaigns featured modified versions of known payloads, according to enSilo.
“Both of the loader’s variants and their various payloads that we analyzed share similar tactics, techniques and procedures (TTPs) and code associated with APT10,” said Ben Hunter, a researcher with the enSilo Intelligence Team, in a Friday analysis of the code.
“The loader starts out by running a legitimate executable, which is abused to load a malicious DLL instead of a legitimate one which it is depended on,” Hunter explained.
The malicious library (jli.dll) maps a data file, svchost.bin, to memory and decrypts it. The decrypted content is a shellcode that is injected into svchost.exe and contains the actual malicious payload.
From there, the two variants diverge. The first uses a service as its persistency method.
“It installs itself (jjs.exe) as the service and starts it,” Hunter said. “When running in the context of the service it performs the decryption and injection as described.”
The second variant uses a different way to ensure persistence: The Run registry key for the current user, under the name “Windows Updata.” Also, it downloads an executable (conhost.exe) which in turn is another downloader, written in .NET, disguised as a legitimate system executable.
For both loader variants, among the payloads are modified versions of PlugX and Quasar RAT.
PlugX was first identified in 2012 targeting government institutions; it allows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.
Quasar RAT meanwhile is billed as a legitimate remote administration tool for Windows, but it can be used for malicious purposes, like keylogging, eavesdropping, uploading data, downloading code and so on.
In the case of the PlugX version seen in the fresh APT 10 campaigns, like previous versions, it collects information about the infected machine such as the computer name, username, OS version, RAM usage, network interfaces and resources. But the sample also shares some similarities to the Paranoid PlugX variant.
“It goes a long way to completely remove any sign of McAfee’s email proxy service from the infected machine,” Hunter said. “Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript the dropper runs.”
As for Quasar RAT, “this version contains an addition of SharpSploit to extract passwords from the victim machine using the framework’s built-in mimikatz capabilities,” explained Hunter.
Also, there are signs that the modified payload malware is still in development.
“The certificate embedded in the Quasar sample was issued at 22.12.2018, which correlates with the file’s compilation date,” Hunter added. “This can indicate that these samples may be a part of a testing environment or a short-lived attack that is already finished. Either way, it’s safe to say that the threat actor behind APT10 is still active and we have yet to see the last of the group.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.