The xz attachment of a fake bank email contains an exe file: the malware.
Symantec: APT10 is spying Japan-linked organization with living-off-the-land tools and custom malware, as Backdoor.Hartip. The Chinese state-sponsored group leverages also the ZeroLogon vulnerability
APT10 (Cicada, Stone Panda, Cloud Hopper) is using the ZeroLogon vulnerability to attack Japan-linked organizations. It has been discovered by Symantec cybersecurity experts. It’s seems a cyber espionage operation. Victims are from multiple sectors, including those operating in the automotive, pharmaceutical, and engineering sector, as well as managed service providers (MSPs). The Cinese state-sponsored hackers use living-off-the-land tools as well as custom malware in this attack campaign, including Backdoor.Hartip. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines. They extensively use also DLL side-loading and the ZeroLogon vulnerability with a tool capable of exploiting it. The flaw can allow attackers to spoof a domain controller account and then potentially use it to steal domain credentials, take over the domain, and completely compromise all Active Directory identity services.