New APT10 Activity Detected in Southeast Asia
Researchers have detected what they believe to be new activity from Chinese cyber espionage group, APT10. The activity surfaced in the Philippines and shares similar tactics, techniques, and procedures (TTPs) and code associated with APT10.
APT10 is the group behind Operation Cloud Hopper analyzed by PwC UK and BAE Systems in 2017. In December 2018, all five nations in the Five Eyes electronic surveillance alliance (USA, Canada, UK, Australia and New Zealand) officially pinned Cloud Hopper to APT10, and APT10 to the Chinese government.
The U.S. went so far as to indict two Chinese nationals, Zhu Hua and Zhang Shilong. Both are alleged to be associated with the Chinese Ministry of State Securityís Tianjin State Security Bureau.
The two malware payloads discovered are PlugX and a modified Quasar RAT. PlugX is thought to be APT10 proprietary malware, and has been used by the group for several years. It is modular in design with numerous plug-ins available — such as communication compression and encryption, network enumeration, files interaction, remote shell operations and more. The new Quasar RAT version includes SharpSploit and its built-in Mimikatz capabilities to extract passwords.
The basic loading process is for jjs.exe to side-load the malicious jli.dll. The latter maps the binary svchost.bin to memory and decrypts it as a shellcode containing the malicious payload. This is injected into svchost.exe.
The first loader version uses a service for its persistency. It installs itself, jjs.exe, as the service, and starts it. The decryption and injection are performed in this context.
The second loader variant uses the Run registry key for the current user under the name ‘Windows Updata’. Both loaders communicate with typical APT10 domains that look confusingly like genuine tech industry domains: one using DNS over TCP to update[.]microsofts[.]org, and the using HTTPS to update[.]kaspresksy[.]com.
Where the malware is PlugX, and following the injection of the shellcode, the shellcode decrypts another part of itself to unpack the PlugX DLL. Like other versions, the malware collects information such as the computer name, username, OS version, RAM usage, network interfaces and resources. It generates noise around the allocation and release of memory with dummy calls to the GetForegroundWindow API function.
This variant of PlugX is similar to the one known as Paranoid PlugX, which targeted the video game industry in 2017. It attempts to completely remove any sign of McAfee’s email proxy service, recursively deleting any related registry keys, files and directories. The same behavior occurred in the Paranoid version.
Where the malware is the modified Quasar RAT, the injected shellcode downloads conhost.exe — which is another simple downloader that fetches and executes the RAT.
While examining the network infrastructure overlaps between these two malware samples, enSilo found a password-protected zip named ‘chrome_updata‘ associated with the kaspresksy[.]com domain, and containing a sample of the Poison Ivy RAT. Poison Ivy is another malware associated with APT10. It was used in a campaign against individuals in the Mongolian government in 2017.
The similarities in malware, methods and domain names makes enSilo confident that this activity stems from APT10. What it doesn’t know is whether it is part of a testing environment, or was a short-lived attack that has already finished. “Either way,” it concludes, “it’s safe to say that the threat actor behind APT10 is still active and we have yet to see the last of the group.”