Uncovering new Activity by APT10 (May 24, 2019)
The Chinese Advanced Persistent Threat (APT) group “APT10” has been observed to have added new malware loaders to their arsenal, according to enSilo researchers. In late April 2019, researchers identified two malware loader variants that have previously never been seen and are attributed to APT10 due to similar Tactics, Techniques, and Procedures (TTPs) known to be used by the group. The new loaders were found to drop four different files: a binary file (svchost.bin), a legitimate executable (jjs.exe), a legitimate Microsoft C Runtime DLL (msvcrt100.dll), and a malicious DLL (jli.dll). Researchers also found that the loaders are capable of delivering different payloads such as the Remote Access Trojans “PlugX” and “Quasar.” The objective of these loaders is to install malware onto target machines, achieve persistence, and then steal data to send back to a Command and Control (C2) server.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts because it is a common tactic used by APT groups.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.