Go to listing page

APT10: A Chinese Hacking Group Targeting Managed Service Providers Through Spear Phishing

APT10: A Chinese Hacking Group Targeting Managed Service Providers Through Spear Phishing

Share Blog Post

Threat Actor Profile


Origin: China, 2009

Aliases: Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, POTASSIUM, MenuPass Group, APT 10

Key Target Sectors: Construction and Engineering, Aerospace, and Telecom firms, and Governments

Attack Vectors: Spear phishing, Spam Email, Data-theft, Typosquatting, Unauthorized Access, Phishing, Backdoor

Target Region: North America, South-East Asia, Eastern Asia, Western Europe 

Malware Used: Haymaker, Bugjuice, Snugride, QuasarRAT, RedLeaves, PlugX, PoisonIvy and ChChes

Tools Used: Certutil, Cmd, Impacket, Mimikatz, Net, Ping and PsExec

Vulnerabilities Exploited: Eternalromance Exploit (CVE-2017-0143)

Overview


APT10 is a cyber espionage threat group that originated from China and is active since 2009. The group has been taking interest in various sectors, including defense, healthcare, government, and aerospace. Between 2016 and 2017, the group was observed targeting managed IT service providers, manufacturing and mining companies, and a university as well. Recently, in April 2019, its activity was seen again in Southeast Asia, a region where this APT frequently operates.

Which organizations have they targeted?


APT10 is primarily known for targeting US government and defense industrial base organizations, with the earliest known activity traced back to December 2009. It has also been observed targeting organizations in Japan, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, and Norway. Between 2016 and 2017, the group targeted manufacturing organizations in India, Japan and Northern Europe; a mining organization in South America, and various IT service providers worldwide. The group was probably also involved in the data leaks of Japan's major business lobby Keidanren in 2016. Later in early 2018, the APT10 was seen again carrying out a cyber attack against the systems used in the Pyeongchang, South Korea, WinterOlympics 2018 (using EternalRomance SMB exploit). Numerous small code fragments scattered throughout different samples of malware were found in these attacks, which were uniquely linked to APT3, APT10, and APT12. In April, APT10 was found stealing financial information from US firms,  seeking to give domestic Chinese enterprises an edge in international deals, along with getting information about Tokyo's policy toward resolving the North Korean nuclear situation from Japanese defense firms. At the late-2018, it was also revealed that around nine global Managed Service Providers (MSPs) including Hewlett Packard Enterprise and IBM were compromised in attacks by China's APT10 group. Recently, in April 2019, new activities were detected in the region of Southeast Asia, where new malware variants linked to APT10 were discovered.  

What is their motivation behind the attacks?


APT10 focuses on strategic intelligence based targets related to trade negotiations, development, and research in competition with Chinese commercial entities, and high-value counterintelligence targets overseas. The targeting of these organizations is supported by Chinese national security goals, including obtaining valuable intelligence and military information as well as the theft of secret business data to support Chinese corporations. The group has traditionally targeted at scale when attacking commercial enterprise. However, at the beginning of 2018, they’ve begun devoting a portion of their operations to target Managed Service Providers (MSPs), most likely to exfiltrate sensitive client data.

Modus Operandi


APT10 attack methods include use of both traditional spear phishing campaigns and backdoors to penetrate inside the targeted network. APT10’s spear phishing attacks have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g.[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases identically named decoy documents and malicious launchers within the same archive. In addition to the spear phishers, APT10 was also observed to target victims through global third-party service providers.
APT10 originally used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function. The 2016 attack on TeamViewer, in which the hackers breached their network using Winnti (backdoor), was also believed to be linked with this group. APT10 ceased its use of the Poison Ivy malware family after a security firm comprehensively detailed the malware’s functionality and features. In late-2018, the group updated their attack techniques, like the spear phishing emails, were now carrying malicious Word documents that attempted to deliver the UPPERCUT backdoor. The password protected documents carried a malicious VBA macro and used Japanese titles related to maritime, diplomatic, and North Korean issues. Recently in April 2019, the group was seen using fake or misspelled domain names similar to real, legitimate tech companies (a method known as Typosquatting) and also using C&C servers located in South Korea. In May 2019, a Linux version of the Winnti malware was identified in a cyberattack against Bayer. This Linux version of Winnti comprised of two files: libxselinux (the main backdoor) and libxselinux.so (a library used to bfuscate its activities).

Known tools and malware


The group has devoted their resources to increase the capability of their malware known as Haymaker, Bugjuice, Snugride, and Quasarrat. The group's malware can be classified into two distinct areas: sustained and tactical. The tactical malware, EvilGrab, and now ChChes (and likely also RedLeaves), are designed to be lightweight and disposable, while the sustained malware, Poison Ivy, PlugX and now Quasar, provides a more comprehensive feature set. 

Malicious programs used by APT10

  • Haymaker - A backdoor that can execute and download other payloads in the form of modules.
  • Bugjuice - A backdoor that is executed by launching a benign file to hijack the search order for loading a malicious DLL into it.
  • Snugride - A backdoor that communicates with its C2 server via HTTP requests.
  • QuasarRAT -  A fully functional .NET backdoor, which has been used by multiple cyber espionage groups in the past.
  • RedLeaves - A malware family, whose code overlaps with PlugX and os possibly based on the open-source tool Trochilus.
  • PlugX -  A remote access tool (RAT) that uses modular plugins.
  • PoisonIvy - A popular remote access tool (RAT) that has been used by many cyber espionage groups.
  • ChChes -  Trojan that is believed to be used exclusively by APT10.
  • EvilGrab - A malware family with common reconnaissance capabilities.
  • PowerSploit - An open source, offensive security framework, that comprises of PowerShell modules and scripts.

Known Commercial/Open Source Tools used by APT10

  • Certutil - A command-line utility that can be used to obtain certificate authority information and configure Certificate Services.
  • Cmd - Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities
  • Impacket - An open source collection of modules written in Python for programmatically constructing and manipulating network protocols.
  • Mimikatz - A credential dumper, capable of obtaining plaintext Windows account logins and password.
  • Net - A utility component of the Windows operating system.
  • Ping -  An operating system utility commonly used to troubleshoot and verify network connections.
  • PsExec - A Microsoft tool that can be used to execute a program on another computer.
  • Pwdump - A credential dumper used to dump passwords.

Attribution


In Dec 2018, two individuals, named Zhu Hua and  Zhang Shilong, were charged with hacks of more than 45 technology organizations and government departments operating in the USA. The duo, thought to be associated with APT10, worked for Chinese organization "Huaying Haitai", and also worked with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau (TSSB). They were mainly assigned the task of stealing data from targeted organizations. The pair was also accused of hacking a large number of managed service providers from 2014 onwards, that were remotely providing IT services for various prominent customers. The hackers were behind the data on a vast number of industry sectors, including satellite tech, aviation, pharmaceutical, mining, manufacturing, production and oil/gas exploration. In the process, they eventually stole hundreds of gigabytes of critical data.

Prevention


Organizations should deploy reliable antivirus solutions to guard against the known malware, which are commonly used by APT10 to penetrate the targeted network. Application control or application whitelisting tools can be useful in preventing any unauthorized executable from executing, which are mostly spread via spear phished emails. With smart usage monitoring tools leveraging orchestration technology, IT teams can detect any unusual behavior, prevent it, and contain it from impacting critical systems of organizations. Sharing of Strategic and Tactical Threat Intelligence with trusted partners, ISACs and regulatory bodies can also help organizations develop and practice shared strategies for combating such threats. Finally, automated maintenance using a reboot-to-restore software can help ensure clean configurations. This can also prevent the inactive threats to remain hidden or propagate inside a network for a longer duration.

Indicators of Compromise


Originating IP Address
27.102.128[.]157
27.102.127[.]80 
27.102.127[.]75 
27.102.66[.]67 
27.102.115[.]249

SHA256 Hashes
0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded 96649c5428c874f2228c77c96526ff3f472bc2425476ad1d882a8b55faa40bf5 c8d86e9f486d23285b744279812ef9047a0908e39656c2ea4cdf3e182f80e11d f13536685206a94a8d3938266f100bb2dffa740a202283c7ea35c58e6dbbb839 e0f91da52fdc61757f6a3f276ae77b01d2d1cc4b3743629c5acbd0341e5de80e 02b95ef7a33a87cc2b3b6fd47db03e711045974e1ecf631d3ba9e076e1e374e9 29b0454db88b634656a3fc7c36f318b126a83ae8fb7f73fe9ff349a8f8536c7b 41542d11abf5bf4a18332e9c4f2c8d1eb5c7e5d4298749b610d86caaa1acb62c

Filename
jli.dll

Domains
update[.]kaspresksy[.]com 
Download[.]kaspresksy[.]com
 Api[.]kaspresksy[.]com
ffca[.]caibi379[.]com 
Update[.]microsofts[.]org
Ppit[.]microsofts[.]org
cahe[.]microsofts[.]org
File namejli.dll
bdoncloud[.]com
cloud-kingl[.]com
cloud-maste[.]com
incloud-go[.]com
incloud-obert[.]com
catholicmmb[.]com
ccfchrist[.]com 
cwiinatonal[.]com
usffunicef[.]com
salvaiona[.]com
meiji-ac-jp[.]com
u-tokyo-ac-jp[.]com
jica-go-jp[.]bike
jica-go-jp[.]biz
jimin-jp[.]biz jimin.jp
Mofa-go-jp[.]com

Winnti Command and Control Servers
newpic[.]dyndns[.]tv
update[.]ddns[.]net
nd[.]jcrsoft[.]com
cc[.]nexoncorp[.]us
98[.]126[.]36[.]202
kr[.]zzsoft[.]info
as[.]cjinternet[.]us
ca[.]zzsoft[.]info
sn[.]jcrsoft[.]com
lp[.]apanku[.]com
sshd[.]8866[.]org
ftpd[.]6600[.]org
tcpiah[.]googleclick[.]net
rss[.]6600[.]org
lp[.]zzsoft[.]info
lp[.]gasoft[.]us
eya[.]jcrsoft[.]com
ftpd[.]9966[.]org
kr[.]xxoo[.]co
wi[.]gcgame[.]info
tcp[.]nhntech[.]com
ka[.]jcrsoft[.]com
my[.]zzsoft[.]info
jp[.]jcrsoft[.]com
su[.]cjinternet[.]us
vn[.]gcgame[.]info
ap[.]nhntech[.]com
ru[.]gcgame[.]info
kr[.]jcrsoft[.]com
wm[.]ibm-support[.]net
fs[.]nhntech[.]com
docs[.]nhnclass[.]com
rh[.]jcrsoft[.]com
wm[.]nhntech[.]com
wm[.]myxxoo[.]com
ka[.]zzsoft[.]info
ad[.]jcrsoft[.]com
my[.]gasoft[.]us

MD5
06d8b1468f09d10aa5c4b115544ccc6e 
0cd07490fc02e2a602781bb939d0bc3d 
2d0950f69e206486c5272f2b0fc3aa22 
3358c54a22d186ec9de0f15bc4bb2698 
35bdc5a2acf35bdf9fb9169e1a47d3e7 
5778178a1b259c3127b678a49cd23e53 
6dfcdc4c8edc77642f15592143f34569 
9a83cd3f8e619c8b1b38b0b5ceeea357 
afe4ec9a88f84fbf9c1eb0f3ff47a12b 
B0BD6C215A7C20B23FD23D77FA26F3BA 
bbbb9bb5c7a59b98f18b06344ac8980f 
d23237edbdcc4118b538454b45c00021 
d4a2060a5086c56f7ff65eaa65de81ff 
dc22d742a15f8d6d8edf49d1c8cc8be9 
e7e5c5c991e6d66fca16c988c891e10f 
F4c9bc4f045b90c496df4b75398dfa5c
04f3fbaaaf5026df29e0d7d317194043 
07e40089cdf338e8d1423b3d97332a4d 
0b105cd6ecdfe5724c7db52135aa47ef 
7024ea8285cee098829ac8f2b1de4455

 Tags

plugx
cloud hopper
apt10
mimikatz
winnti
redleaves

Posted on: July 04, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite