Chinese threat group APT10 targeting Japanese organizations with UPPERCUT backdoor

• The threat group has been active since 2009 and has previously targeted Japanese entities.
• The group made minor improvements to the UPPERCUT backdoor between December 2017 and May 2018.

The Chinese threat group ATP10 was recently found targeting Japanese organizations. APT10 has been active since at least 2009 and has previously targeted Japanese entities. The APT group is now using an upgraded version of the backdoor malware called UPPERCUT (aka ANEL), in its new phishing campaign.

APT10’s new campaign involves the group sending out emails that come attached with Microsoft Word documents. These documents are embedded with malicious VBA macros. The phishing emails use lures related to maritime, diplomatic, and North Korean issues - all of which may be of interest to a Japanese target.

“For the North Korean lure, a news article with an identical title was readily available online. It’s also worth noting that in the Guatemalan lure, the attacker used an unusual spelling of Guatemala in Japanese,” FireEye security researchers, who uncovered the new APT10 campaign, wrote in a blog. “The top result of a Google search using the same spelling led us to the event website for the lecture of the Guatemalan Ambassador, held in August 2018.”

Modus operandi

Apart from lures relating to Japan’s geopolitical issues, APT10 also uses lures that may be interested in Latin American issues. The initial malicious Word documents used in the campaign were password-protected, likely in an effort to circumvent detection. Once the password to the Word document, which is present in the email body, is entered in, the victim is prompted to enable the malicious macros.

UPPERCUT upgraded

FireEye researchers believe that APT 10 made minor improvements to the UPPERCUT backdoor malware between December 2017 and May 2018. One of the new features of the malware allows it to send an error code in the Cookie header, in the event that the malware fails to receive HTTP responses from its C2 server.

“The error code is the value returned by the GetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if the backdoor is unable to receive a response. This Cookie header is a unique indicator that can be used for network-based detection,” FireEye researchers said.

In previous versions, UPPERCUT used Blowfish encryption to communicate with its C2 server. However, in the backdoor’s latest version, the malware’s keys are hard-coded uniquely for each C2 address, and the C2’s calculated MD5 hash is used to ascertain which key should be used.

“While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving,” FireEye researchers said. “In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware.”