Security researchers from FireEye discovered and blocked a campaign targeting Japanese media sector by APT10 group.
“In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber-espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities.”
The attackers send spear phishing emails containing malicious word documents and attempts to install the UPPERCUT backdoor also known as ANEL.
The content of malicious documents are unreadable, and the subject were related to maritime, diplomatic, and North Korean issues.
The word document are password protected, and password will be given in the body of the email.
Once the password is entered, the word document will be opened, and users will be asked to enable the malicious macro.
“The PE compile time of loaders and the create time of droppers (Word documents) are plotted in the graph. The compile time of loaders in the newer version(s) are not shown here since the timestamps are overwritten and filled with zeroes. We don’t have visibility into UPPERCUT 5.2.x series, but it’s possible that minor revisions were released every few months between December 2017 and May 2018.”
The new version is capable of downloading and validating the file, upload file to C&C server, load PE file, download, validate (XXHash comparison), execute file, and send output to C&C server, format the current timestamp, capture screenshots, execute the buffer received via cmd.exe and output is sent to the C&C server.
In the latest version of UPPERCUT, attackers have made a change in the way the backdoor initialise the Blowfish encryption key which makes hard for experts to detect the backdoor’s communications.
For more details, you can visit the analysis published by FireEye researchers here.
How to prevent yourself from this type of attacks :
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
- Always disable office macros in the settings.
- Maintain updated Antivirus software for all systems.
You may be interested in reading:42 Million Records of Credential Stuffing Data Discovered on the Free Hosting Service Kayo.moe