skip to Main Content

Japan, new cyber attacks campaign on media by APT10 (Menupass)

Fireye: The Chinese cyber espionage group APT10 (Menupass) has launched a new cyber attacks campaign against the Japanese media sector, using different lures, to led to the installation of UPPERCUT backdoor

The Chinese cyber espionage group APT10 (Menupass) has recently launched a new cyber attacks campaign against the Japanese media sector. It has been unveiled by the FireEye cyber security experts, who blocked the aggressors. In this campaign – as the company blog reports – the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC (release candidate) until recently. The attacks started with Microsoft Word documents containing a malicious VBA macro being attached to spear phishing emails. Although the contents of the malicious documents are unreadable, the Japanese titles are related to maritime (China), diplomatic (Guatemala), and North Korean issues. For the lures the malicious hackers used news and info readily available online. Including an unusual spelling of Guatemala in Japanese.

APT10 is capable of maintaining and updating its malware. Instead, it targets the same geolocation and industry: Japan and media

The APT10 malicious attachment were Word documents password protected. But in the body of the message they are delivered. Once the victims entered them, they are presented with a document that will request to enable the macro. Once executed, it drops three PEM files and finally the UPPERCUT backdoor. An updated version of the malware with new features. According to FireEye cyber security experts, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that the chinese cyber spies are very capable of maintaining and updating their malware. Instead, they target the same geolocation and industry: Japan and media.

The integral FireEye post

Back To Top