APT10 Targets Southeast Asia with Two New Loaders

Delaware, USA – May 28, 2019 – The Chinese hacker group APT10 (also known as Stone Panda) started using new loaders during the cyber espionage campaign in Southeast Asia. The campaign was discovered at the end of last month by security researchers from enSilo, with the help of new malware adversaries deliver modified tools used by the group in previous campaigns. Both loaders drop to the attacked system the same set of files, including the legitimate executable and Microsoft C Runtime DLL, and then use the DLL Side-Loading метод, to map the data file to memory and decrypt shellcode from it. Then loader injects shellcode containing the payload into svchost.exe. The main difference between loaders is in the persistence mechanism: one of them sets up the dropped executable as a service and starts it, while another one creates the Run registry key under the name “Windows Updata” to ensure the persistence on the infected system.

In this campaign, APT10 uses such well-known tools as PlugX and Quasar RATs as final payload. The attackers’ command-and-control infrastructure includes servers located in South Korea and typosquatting domain names similar to Microsoft and Kaspersky domains. The group has been active for at least 10 years and most of their operations are targeted at government and private organizations in the Asia region. You can study all known techniques and tools used by the group in the MITRE ATT&CK section in Threat Detection Marketplace: https://tdm.socprime.com/att-ck/?dateFrom=0&dateTo=0&searchProject=mitre&searchType=actors&searchValue=apt10

Also you can use APT Framework rule pack to add sophistication to your existing tools by leveraging the Lockheed Martin Cyber kill chain to connect the dots between low-level SIEM incidents and link them to high-confidence compromises:Also you can use APT Framework rule pack to add sophistication to your existing tools by leveraging the Lockheed Martin Cyber kill chain to connect the dots between low-level SIEM incidents and link them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework-arcsight