Cybersecurity researchers on Tuesday disclosed particulars of a classy marketing campaign that deploys malicious backdoors for the aim of exfiltrating data from numerous business sectors situated in Japan.

Dubbed “A41APT” by Kaspersky researchers, the findings delve into a brand new slew of assaults undertaken by APT10 (aka Stone Panda or Cicada) utilizing beforehand undocumented malware to ship as many as three payloads comparable to SodaMaster, P8RAT, and FYAnti.

The long-running intelligence-gathering operation first got here into the scene in March 2019, with actions noticed as not too long ago as November 2020, when reports emerged of Japan-linked corporations being focused by the menace actor in over 17 areas worldwide.

The recent assaults uncovered by Kaspersky are mentioned to have occurred in January 2021. The an infection chain leverages a multi-stage assault course of, with the preliminary intrusion taking place through abuse of SSL-VPN by exploiting unpatched vulnerabilities or stolen credentials.

Middle to the marketing campaign is a malware referred to as Ecipekac (“Cake piece” in reverse, however with a typo) that traverses a four-layer “sophisticated loading schema” by making use of 4 recordsdata to “load and decrypt 4 fileless loader modules one after the opposite to ultimately load the ultimate payload in reminiscence.”

Whereas the principle objective of P8RAT and SodaMaster is to obtain and execute payloads retrieved from an attacker-controlled server, Kaspersky’s investigation hasn’t yielded any clues as to the precise malware delivered on course Home windows methods.

Apparently, the third payload, FYAnti, is a multi-layer loader module in itself that goes by way of two extra successive layers to deploy a final-stage distant entry Trojan often known as QuasarRAT (or xRAT).

“The operations and implants of the marketing campaign … are remarkably stealthy, making it tough to trace the menace actor’s actions,” Kaspersky researcher Suguru Ishimaru said. “The principle stealth options are the fileless implants, obfuscation, anti-VM ,and removing of exercise tracks.”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.