The Chinese-language cyber-espionage group known as APT10 (G0045, Stone Panda, MenuPass Team, Red Apollo, CVNX, POTASSIUM, Cloud Hopper) updated its arsenal with two never-before-seen malware loader variants used in April campaigns against government and private organizations in Southeast Asia.
The recent attacks were detected by researchers from enSilo, who noted that both campaigns featured modified versions of known malware.
“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group. Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10,” said the researchers in their report.
While both loaders deliver different payloads to the victims they drop following files beforehand:
-
jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.
-
jli.dll – malicious DLL
-
msvcrt100.dll – legitimate Microsoft C Runtime DLL
-
svchost.bin – binary file
Both variants delivered several payloads, inlcuding PlugX and Quasar remote access trojans (RAT). The former was previously used in many targeted attacks aimed at different government and private organizations. PlugX has a modular structure with many different operational plugins such as communication compression and encryption, network enumeration, files interaction, and remote shell operations. Like the previous versions, the PlugX variant seen in fresh APT10 campaigns collects various data on infected host such as the computer name, username, OS version, RAM usage, network interfaces and resources.
In case of Quasar RAT, which can be used for keylogging, uploading data or downloading code, “this [modified] version contains an addition of SharpSploit to extract passwords from the victim machine using the framework’s built-in mimikatz capabilities,” explained the experts, adding that the malware it seems is still on development phase.
Both loaders implement DLL Side-Loading meaning it starts by running a legitimate executable which is abused to load a malicious DLL. The malicious DLL maps the data file, svchost.bin, to memory and decrypt it. The decrypted content is a shellcode that is injected into svchost.exe and contains the actual malicious payload.
The loaders differ in the way they achieve persistence on the infected system. The first one uses a service (jjs.exe) as its persistency method, while the second variant uses the Run registry key for the current user under the name “Windows Updata”.
More detailed technical analysis and Indicators of Compromise (IoCs) can be found here.