Security researchers have discovered a new campaign by APT 10 group targeting government and private organizations in Southeast Asia.
In April 2019, security experts at enSilo discovered a new activity by Chinese cyber espionage group APT10 with two new loaders.
“ Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10.”
Even though the two new loaders deliver different payloads to the victim’s systems, both variants drop the following files beforehand:
- jjs.exe – legitimate executable
- jli.dll – malicious DLL
- msvcrt100.dll – legitimate Microsoft C Runtime DLL
- svchost.bin – binary file
The final payloads delivered by both variants include PlugX and Quasar remote access Trojan (RAT).
The loaders start the process by running a legitimate executable which is abused to load a malicious DLL instead of the legitimate one. The method is known as DLL Side-Loading.
In both variants, jli.dll library is used to maps the data file,svchost.bin, to memory and decrypt it to get a shellcode. The shellcode is then injected into the svchost.exe containing the actual malicious payload.
In the case of persistence, the first variant uses a service as its persistence method. It itself installs as the service and starts it.
The second variant uses the Run registry key for the current user under the name “Windows Updata” to ensure its persistency.
According to researchers both the variants uses the same decryption and injection mechanism.
Earlier in September 2018, FireEye researchers discovered and blocked a campaign targeting Japanese media sector by APT10 group.
For more details regarding the campaign and IoCs read the report published enSilo researchers here.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones