Chinese-speaking cyberespionage group APT10 slides into SEA

Kaspersky researchers detected new infection attempts from APT10 against organizations in Southeast Asia (SEA) after closely monitoring the activities of what it tags as Chinese-speaking cyberespionage group.

The global cybersecurity company has monitored new wave of attacks potentially targeting health and medical facilities in Malaysia between October and December last year and in Vietnam between February and May 2019. The malware used in the two countries is different from the known tricks APT10 is known for, but the goal remains the same — to steal credentials and confidential information from the infected machines.

“We have been monitoring several operations of APT10, particularly in Japan where they caused information leakage and serious reputational damage. They are known in the industry for their stealthy and large-scale cyberespionage campaigns, always hungry for confidential information and even trade secrets. Now they are extending their geography of attack towards Southeast Asia, potentially setting eyes on some medical organizations and associations in Malaysia and Vietnam,” said Suguru Ishimaru, security researcher, Kaspersky.

Many names

APT10 is known by many names such as MenuPass, StonePanda, ChessMaster, Cloud Hopper, and Red Apollo. It has figured in several high-profile attacks against different industries including information and technology, government and defense, telecommunications, academic, medical, healthcare and pharmaceutical since 2009.

Back in December, a report from PwC revealed that the alleged nation-backed group has successfully infected key MSP (managed service provider) companies such as Hewlett Packard Enterprise Co. and IBM. Through this breach, the actors have stolen sensitive corporate data from the affected firms’ clients. Among the alleged targets were Australian corporations.

Several latest reports also revealed researchers spotting APT10 infections in the Philippines, as well as against telecommunication providers in Europe, Africa, the Middle East, and Asia.

The group is widely known in the cybersecurity industry as a Chinese-speaking cyberespionage group. While their target sectors have been changing since their first known attack, their goal to steal important information including confidential data, defense intelligence, and corporate secrets remains unchanged.

APT10 is known for using multiple types of RATs or remote access Trojans in the past, including Poison Ivy, PlugX, ChChes, Redleaves, and more.

Kaspersky in 2017 has detected PlugX malware in pharmaceutical organizations in Vietnam to steal precious drug formulas and business information. This malware is usually spread via spear phishing and has previously been used by other Chinese-speaking actors in targeted attacks against the military, government, and political organizations.

In terms of its malicious activities in Japan, the notorious APT10 used Redleaves, a fileless malware which runs only in memory, and its variants from October 2016 to April 2018. Kaspersky researchers have discovered 120+ malicious modules of Redleaves and its variants like Himawari and Lavender.

In Himawari samples, researchers found medical terminology as well as decoy documents related to medical, healthcare, and pharmaceuticals organizations. All samples of targeting medical industries detected were also password-protected, halting researchers in conducting further analysis.

Malaysia, Vietnam

“In April 2018, we have observed a new trick being used by APT10 — Zark20rk. It is another variant of Redleaves but the hackers behind this group updated some crypto algorithms, data structure, and malware features adding some key strings related to Russia. Based on their behavioral patterns, we can say this is another false flag planted to confuse researchers monitoring their movements,” said Ishimaru.

For the attacks potentially against healthcare organizations in Malaysia and Vietnam, Kaspersky unmasked that the group has changed its main RAT from Redleaves to a well-known backdoor called ANEL. ANEL usually starts with an infected Word document containing VBA macro to infect ANEL modules.

To further hide their actions, APT10 embedded some anti-AV and anti-reversing methods in ANEL and its modules such as strong obfuscations for anti-reversing, DLL side-loading for AV-evasion, multiple encryptions for malware configuration and communication to C2s (command and control servers), as well as fireless malware which is executed only in memory like Redleaves.

Trial and error

“With password-protected attachments, complicated obfuscations, evolving evasion tricks, and encrypted modules using multiple algorithms, APT10 is undoubtedly paying a lot of attention on how they conduct their attacks. Through trial and error, they are in search for the best technique to infect their specific targets. And based on the results of our investigation and the pattern of their attack behavior, medical and healthcare industry are definitely well within the radar of this group,” he adds.

Given the sophisticated nature of APT 10’s techniques, Kaspersky suggests healthcare companies to consider getting security solutions beyond anti-virus, preferably a solution built around a Machine Learning core (Targeted Attack Analyzer) which combines advanced detection capabilities using static, behavioral, cloud reputation, sandboxing, YARA and pattern-based detection engines.

Real-time and comprehensive threat intelligence services are also necessary to build an organization’s immunity against unseen cyberattacks. Such service will give a 360-degree view of tactics and tools used by past and current are known threat actors, making it easier to prevent and detect complex attack attempts.