skip to Main Content

APT10 is back with two new malware loaders and payloads versions

APT10 Is Back With Two New Malware Loaders And Payloads Versions

EnSilo: We detected a new activity by Chinese cyber espionage group APT10 in Southeast Asia. The chinese cyber espionage group exploited two new malware loaders and versions of it’s payloads

APT10 is back with two new malware loaders and versions of it’s payloads. It has been discovered by enSilo cyber security experts. The researchers detected a new activity by the chinese espionage group in Southeast Asia in which it used the two variants to drop four files: jjs.exe (legitimate executable), jli.dll (malicious DLL), msvcrt100.dll (legitimate Microsoft C Runtime DLL) and svchost.bin (binary file). Both variants of the loader implement the same decryption and injection mechanism. The payloads, instead, are PlugX and Quasar RATs. The former is well known to be developed in-house by the group with a rich history of being used in many targeted cyber attacks against different government and private organizations. PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption, network enumeration, files interaction, remote shell operations and more.

The cyber security experts: In the cyber attacks there are major similarities with APT10 TTPs. The group is still active

The cyber security experts also noted many major similarities with APT10 TTPs. From the bundle of legitimate executable to sideload a custom DLL along with storing the payload in a separate, encrypted file, to the use of typosquatting domain names similar to real, legitimate tech companies. Furthermore there have been used unique malware families both developed by, and associated with, the group. Finally, the chinese cyber espionage group exploits C&C servers located in South Korea. According to enSilo, some of the domain mappings were recently updated. Also, the certificate embedded in the Quasar sample was issued at 22.12.2018, which correlates with the file’s compilation date. This can indicate that these samples may be a part of a testing environment or a short-lived attack that is already finished. Either way, it’s safe to say that the threat actor behind APT10 is still active.

Back To Top