Let’s go back to 2019. An APT campaign, conducted by APT10, was spotted that targeted various sectors, most prominently the Japanese manufacturing sector and its overseas operations. Dubbed A41APT, the purpose of the campaign was to steal information.
Now, this campaign went on until January 2021 and most of the malware families used were never-seen-before fileless malware. However, the particular malware we will be talking about here is called Ecipakec, also known as HEAVYHAND, SigLoader, and DESLoader. This multi-layer module delivers payloads such as P8RAT, FYAnti, and SodaMaster.
The attack campaign
- The activity related to the campaign was first observed in November 2020 when reports of Japan-linked organizations being targeted in 17 regions across the world emerged.
- The most recent attacks were conducted in January where Ecipekac was used and the initial intrusion was via exploiting SSl-VPN flaws or stolen credentials.
Connection with APT10
- An earlier version of SodaMaster was leveraged in an attack against Turkey. The attack was conducted by APT10.
- xRAT (QuasarRAT) has been discovered in the current campaign and has common Tactics, Techniques, and Procedures (TTPs) with an earlier report.
Connection with BlackTech
- Common attributes have been identified between SodaMaster and TSCookie.
- The same info—username, computer name, and current process ID—is collected from the victim during the initial stages.
- TSCookie and SodaMaster have been spotted present together in several compromised systems.
The bottom line
It is necessary that Japan-linked companies stay on high alert and implement maximum security as this highly targeted and obfuscated campaign has set its eyes on them. APT10 definitely has a lot of resources to conduct such a sophisticated campaign, implying that the attacks can have cataclysmic consequences. Furthermore, the use of multi-layer malware and payloads, makes it difficult for security teams to detect activities on compromised hosts.