Chinese-linked APT10 adds new Quasar RAT and PlugX variants to its arsenal

• The APT10 group has been found deploying two new loader variants towards the end of April 2019.
• The attackers are using new variants of PlugX and Quasar RAT as final payloads in their latest attack campaigns.

A new activity related to Chinese cyber espionage group APT10 has emerged lately. The group’s activity has been found using new loader variants and various payloads to launch attacks against government and private organizations in Southeast Asia.

What’s the matter?

The experts at enSilo have found the APT10 group deploying two new loader variants towards the end of April 2019. The two loader variants share similar tactics, techniques and procedures, and code associated with APT10.

During the initial stage of the infection process, these loader variants drop the following files to distribute other malicious payloads. The malicious files are:

• jjs.exe - legitimate executable
• jli.dll - malicious DLL
• msvcrt100.dll - legitimate Microsoft C Runtime DLL
• svchost.bin - binary file

The group is heavily relying on domain name squatting scheme that tends to confuse the observer by posing as a legitimate domain. The domains are spoofed using famous brands - Microsoft and Kaspersky.

Final payloads

The attackers are using new variants of PlugX and Quasar RAT as final payloads in their latest attack campaigns. These samples are believed to originate from the Philippines.

About the new Quasar RAT

The new version of Quasar RAT contains SharpSploit to extract passwords from the victim machine. SharpSploit is a .NET post-exploitation library written in C#.

Apart from SharpSploit, the new Quasar RAT variant’s configuration also includes:

• C&C server: cahe.microsofts.org:443
• Mutex name: “QSR_MUTEX_rSifQNOVTwHrsBs2nd”
• A self-signed certificate issued to “MSGQ Server CA”

About PlugX variant

Researchers note that the new variant of PlugX RAT shares some similarities with the Paranoid PlugX variant.

Like previous versions, the new version collects information about the infected machine such as the computer name, username, OS version, RAM usage, network interfaces, and resources.

Once installed, the malware makes sure to kill all the processes before starting its infection process. It also deletes any related keys in the registry and directories on the machines to proceed further.