Raising an alarm for the IT service providers and manufacturing companies in India, US-based cyber security group FireEye has claimed that a new set of tools is being used by China-based cyber espionage group APT10 to steal confidential business data from domestic firms to support Chinese corporations. FireEye has been tracking APT10 since 2009 and they have historically targeted construction, engineering, aerospace, telecom firms and governments in the US, Europe and Japan. “IT services have been a core engine of India’s economic growth, with service providers here scaling the value chain to manage business-critical functions of top global organisations. Campaigns like this highlight risks which all organisations should factor into their operations,” said Kaushal Dalal, Managing Director, FireEye, India, in a statement on Monday.
APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. “Targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations,” said FireEye in an earlier blog post.
In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. APT10 unveiled new tools in its 2016/2017 activity. “HAYMAKER” and “SNUGRIDE” have been used as first-stage backdoors, while “BUGJUICE” and a customised version of the open source “QUASARRAT” have been used as second stage backdoors.These new pieces of malware show that APT10 is devoting resources to capability development and innovation.
HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. BUGJUICE, also a backdoor, executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.
SNUGRIDE communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key, the post added. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.