28 May 2019

Chinese cyberspies deploy unique malware in attacks on government and private organizations in Southeast Asia

Chinese cyberspies deploy unique malware in attacks on government and private organizations in Southeast Asia

The Chinese-language cyber-espionage group known as APT10 (G0045, Stone Panda, MenuPass Team, Red Apollo, CVNX, POTASSIUM, Cloud Hopper) updated its arsenal with two never-before-seen malware loader variants used in April campaigns against government and private organizations in Southeast Asia.

The recent attacks were detected by researchers from enSilo, who noted that both campaigns featured modified versions of known malware.

“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group. Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10,” said the researchers in their report.

While both loaders deliver different payloads to the victims they drop following files beforehand:

  • jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.

  • jli.dll – malicious DLL

  • msvcrt100.dll – legitimate Microsoft C Runtime DLL

  • svchost.bin – binary file

Both variants delivered several payloads, inlcuding PlugX and Quasar remote access trojans (RAT). The former was previously used in many targeted attacks aimed at different government and private organizations. PlugX has a modular structure with many different operational plugins such as communication compression and encryption, network enumeration, files interaction, and remote shell operations. Like the previous versions, the PlugX variant seen in fresh APT10 campaigns collects various data on infected host such as the computer name, username, OS version, RAM usage, network interfaces and resources.

In case of Quasar RAT, which can be used for keylogging, uploading data or downloading code, “this [modified] version contains an addition of SharpSploit to extract passwords from the victim machine using the framework’s built-in mimikatz capabilities,” explained the experts, adding that the malware it seems is still on development phase.

Both loaders implement DLL Side-Loading meaning it starts by running a legitimate executable which is abused to load a malicious DLL. The malicious DLL maps the data file, svchost.bin, to memory and decrypt it. The decrypted content is a shellcode that is injected into svchost.exe and contains the actual malicious payload.

The loaders differ in the way they achieve persistence on the infected system. The first one uses a service (jjs.exe) as its persistency method, while the second variant uses the Run registry key for the current user under the name “Windows Updata”.

More detailed technical analysis and Indicators of Compromise (IoCs) can be found here.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019