An APT group supported by China has been linked to a new long-running espionage campaign against Japanese entities. The threat group, tracked as Cicada aka APT10, now seems to have expanded its territory to the rest of the world.

Exploiting Exchange Servers

According to researchers, the widespread intrusions are believed to have occurred around mid-2021 but the most recent activity spurred in February 2022.
  • Multiple attacks were spotted on Microsoft Exchange Servers, suggesting exploitation of a known or unpatched vulnerability to gain access to victim networks.
  • The primary victims are government-related institutions or NGOs, with some NGOs working in the education and religion sector. Additional targeted sectors are legal, telecoms, and pharmaceutical.
  • The victims are located in multiple countries such as the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, Japan, and Italy. In previous attacks, the group focused on Japanese entities.

The attribution of recent activity to Cicada is based on the existence of custom loaders and custom malware on victim networks that are believed to be exclusively used by this APT group.

Operation details of the campaign

The attackers have used different tools in their recent campaigns such as a RAR archiving tool, System/Network discovery, WMIExec, and NBTScan for different goals and to perform various tasks.
  • After successfully gaining access to machines, attackers deployed a custom loader and the Sodamaster backdoor. The loader was deployed in a previous Cicada attack as well.
  • Additionally, they dumped credentials by using a custom Mimikatz loader. The loader obtains credentials in plain text for any user and provides persistence across reboots.
  • The attackers had exploited legitimate VLC Media Player by executing a custom loader through the VLC Exports function and WinVNC tool for remote control of victim machines.

Conclusion

The Cicada group has begun targeting multiple entities across regions, which requires a lot of resources and skills. This indicates it is a well-resourced group and actively working to expand the scope of its campaigns, which makes it a fearsome threat.

Cyware Publisher

Publisher

Cyware