## APT10: Tracking down the stealth activity of the A41APT campaign ###### Suguru Ishimaru / Yusuke Niwa / Charles Li / Motohiko Sato / Hajime Yanagishita 2020/02/25 GReAT Ideas Green tea edition ----- #### Presenter / Coauthor ###### Charles Li Hajime Yanagishita Team T5 Macnica Networks Chief Analyst of TeamT5 Security Researcher Yusuke Niwa Motohiko Sato ITOCHU Corporation. ITOCHU Corporation. ITCCERT Cyber Security Researcher ITCCERT Sr. Cyber Security Researcher Suguru Ishimaru Kaspersky GReAT Malware Researcher ----- #### Agenda ##### 1. Campaign Overview 2. Malware Analysis 3. Characteristics of Intrusion 4. Threat Actor’s Infrastructure 5. Consideration of Threat Actor’s Attribution 6. Summary ----- ``` 1.A41APT Campaign Overview ``` ----- #### A41APT Campaign Overview ###### � Period of Activity: March 2019 to January 2021 � Target: Japan (Japanese companies including overseas branches) � Infection Vector: SSL-VPN abuse (Could not observed spear-phishing) � Implants: DESLoader, SodaMaster, P8RAT and FYAntiLoader etc. � Characteristics: Very tough to detect attacker’s intrusion We call this threat campaign A41APT from the hostname feature “DESKTOP-A41UVJV” that is continuously used during the initial intrusion. ----- #### Public info ###### 【緊急レポート】Microsoft社のデジタル署名ファイルを Japan-Linked Organizations Targeted in Long-Running and 悪用する「SigLoader」による標的型攻撃を確認 [1] Sophisticated Attack Campaign[2] @Int2e ’s tweet[3] Attacks Exploiting Vulnerabilities in Pulse ----- ``` 2.Malware Analysis ``` ----- #### 2. Malware Analysis ###### 1.DESLoader 1.Payloads of DESLoader ``` • SodaMaster • P8RAT • FYAntiLoader ⇒ .NET Loader(ConfuserEx v1.0.0) ⇒ xRAT ``` ----- #### 2-1.DESLoader ###### Aka. SigLoader, Ecipekac, HEAVYHAND Legitimate EXE  Unique multi-layer loader for payloads policytool.exe  Use 4 files in the same directory Layer I loader for side-loading  DLL Side-Loading jli.dll  DLLs contains encrypted shellcode of DLL contains encrypted Layer II and IV loader. shellcode: Layer II loader  Layer II, III, IV loaders and payload are vac.dll fileless implants. DLL contains encrypted shellcode: Layer IV loader ----- #### Example of DESLoader's payload loading flow ###### reflective fileless implants side-loading load decrypt dll injection policytool.exe jli.dll vac.dll shellcode1 embedded DLL1 Legitimate EXE Layer I Layer II Layer III load reflective decrypt dll injection pcasvc.dll shellcode2 embedded DLL2 Layer IV Payload Layer I: junk codes are found using OutputDebugStringA(), time64() rand() srand() for anti-reversing ----- #### jli.dll: Layer I Loader ###### Multiple algorithms (XOR, DES, AES and RSA) are implemented, and the order of using them is configured. It read encrypted data in vac.dll from the end of data till configured size and decrypt. load decrypt jli.dll vac.dll shellcode1 Layer I Layer II MZ PE ...skipped... Section table + 1. XOR key = 0x9F Section 1 … N Embedded data ...skipped... Defined crypto algorithms 2. AES key = 83H4uREKfFClDH8ziYTH8xsBYa32p3wl (CBC mode) IV = 83H4uREKfFClDH8z ----- #### shellcode1: Layer II Loader ###### Layer II Loader checks magic_bytes "ecipekac"(or “9F 8F 7F 6F” or “BF AF BF AF”). Then, it reconstructs and loads each part of the embedded DLL1 in the correct order of PE format for reflective DLL injection. reflective dll injection shellcode1 embedded DLL1 Layer II Layer III 0x00000 0x00000 MZ shellcode 0x000E0 0x00bf5 PE ecipekac 0x00bfd 0x001E8 Size of buf Section table 0x00c01 Size of code 0x00c05 0x01000 Section 1 Section table Section1 … N 0x39a1d PE 0x39b25 0xXXXXX ----- #### embedded PE1: Layer III Loader ###### Layer III Loader is similar to Layer I Loader. The sequence of algorithms is in the reverse order compared to the layer I Loader. The hardcoded keys are also different respectively. load decrypt 1.AES embedded DLL1 pcasvc.dll key = K4jcj02QSLWp8lK9gMK9h7W0L9iB2eEW, shellcode2 Layer III IV = K4jcj02QSLWp8lK9 Layer IV MZ PE Section table + Section 1 … N Embedded data Defined crypto algorithms ----- |offset|data|description| |---|---|---| |0x000|90 90 90 90 90 90 90 90|magic bytes for Identification, this is used for comparision before data processing| |0x008|0x11600|Size of encrypted data, only this value (size) is observed| |0x00C|A9 5B 7B 84 9C CB CF E8 B6 79 F1 9F 05 B6 2B FE|16 bytes RC4 key (each sample has different key)| #### shellcode2: Layer IV Loader ###### Three different types of shellcode were confirmed as Layer IV loader: 1. ​Similar to Layer II shellcode for P8RAT and FYAnti loader 2. Cobalt strike’s stager shellcode reflective dll injection 3. Shellcode dedicated for SodaMaster shellcode2 embedded DLL2 Layer IV Payload **offset** **data** **description** 0x000 `90 90 90 90 90 90 90 90` magic bytes for Identification, this is used for comparision before data processing 0x008 `0x11600` Size of encrypted data, only this value (size) is observed ###### shellcode2 Layer IV 0x00C A9 5B 7B 84 9C CB CF E8 16 bytes RC4 key (each sample has different key) for SodaMaster B6 79 F1 9F 05 B6 2B FE contains data structure 0x01C `C7 36 7E 93 D3 07 1E 86` Encrypted SodaMaster payload with RC4 ----- |Col1|Col2|Col3| |---|---|---| ||SodaMaster|| #### DESLoader TimeLine ###### The timeline of DESLoader based on compilation time. Also shown filename and its payloads. (+Cobalt Strike’s stager) **SodaMaster** jli.dll WTSAPI32.DLL jli.dll vmtools.dll jli.dll NETAPI32.DLL SECUR32.dll jli.dll JLI.dll DBUS-1-3.DLL VMTOOLS.DLL LIBEAY32.DLL **Cobalt Strike’s stager** sbiedll.dll dbus-1-3.dll sbiedll.dll GLIB-2.0.DLL JLI.DLL SBIEDLL.DLL DBUS-1-3.DLL jli.dll **P8RAT** kbb.dll vmtools.dll uxtheme.dll kbb.dll jli.dll jli.dll vmtools.dll **FYAnti** CCFIPC64.DLL Oct 2019 Dec 2019 May 2020 Jun 2020 Jul 2020 Sep 2020 Oct 2020 Dec 2020 ----- #### 2-2.Payloads of DESLoader ###### 1. SodaMaster 2. P8RAT 3. FYAntiLoader ⇒ .NET Loader(ConfuserEx v1.0.0) ⇒ xRAT ----- #### SodaMaster ###### Aka. DelfsCake, dfls, DARKTOWN  One of DESLoader's payloads  Fileless RAT(x64/x86)  Command identifiers are d, f, l and s  Check VM environment from the following registry value  HKCR\Applications\VMwareHostOpen.exe ----- #### SodaMaster ###### base64(RSA key) + 12bytes data  Mutex value = reverse order of CRC32 CRC32 calculated from hardcoded 0x8d01ca9f base64 string + 12 bytes  Initial C2 communication data is Mutex = 9FCA018D encrypted with RSA. Encrypted using RSA key User  The RSA key is hardcoded base64 host key_blob and data contains PID randomly generated RC4 key os_ver soket Exec Date  Further communication data is RC4key encrypted with RC4 RC4 encryption ----- #### P8RAT ###### Aka. GreetCake, HEAVYPOT  One of DESLoader's payloads  x64 fileless RAT  10 backdoor commands.  Main feature looks command 301:  Execution of secondary PE based payload downloaded into memory  P8RAT checks VMware and VirtualBox  vboxservice.exe  vmtools.exe ----- |Col1|Col2|Col3|Col4|Col5| |---|---|---|---|---| |cmd|Description|Compilation time of P8RAT||| |||2020-03-30|2020-08-26|2020-12-14| |300|Closing socket|Enable|Enable|Enable| |301|Creating a thread for executing/loading of a downloaded PE|Enable|Enable|Enable| |302|No functionality|Enable|Removed|Removed| |303|Sending randomly generated data|Enable|Enable|Enable| |304|Executing/loading downloaded PE/shellcode|Enable|Removed|Removed| |305|Setting value of “Set Online Time”, and the string of the setting value was removed from the P8RAT which was built on 2020-08-26.|Enable|Enable|Enable| |306|Setting value of “Set Reconnect TimeOut”, and the string of the setting value was removed from the P8RAT which was built on 2020-08-26.|Enable|Enable|Enable| |307|Setting value of “Set Reconnect times”, and the string of the setting value was removed from the P8RAT which was built on 2020-08-26.|Enable|Enable|Enable| |308|Setting value of “Set Sleep time”, and the string of the setting value was removed from the P8RAT which was built on 2020- 08-26.|Enable|Enable|Enable| #### P8RAT backdoor commands **Compilation time of P8RAT** ###### cmd Description 2020-03-30 2020-08-26 2020-12-14 300 Closing socket Enable Enable Enable 301 Creating a thread for executing/loading of a downloaded PE Enable Enable Enable 302 No functionality Enable Removed Removed 303 Sending randomly generated data Enable Enable Enable 304 Executing/loading downloaded PE/shellcode Enable Removed Removed Setting value of “Set Online Time”, and the string of the setting value was removed from the P8RAT which was built on ###### 305 Enable Enable Enable 2020-08-26. Setting value of “Set Reconnect TimeOut”, and the string of the setting value was removed from the P8RAT which was built ###### 306 Enable Enable Enable on 2020-08-26. Setting value of “Set Reconnect times”, and the string of the setting value was removed from the P8RAT which was built on ###### 307 Enable Enable Enable 2020-08-26. Setting value of “Set Sleep time”, and the string of the setting value was removed from the P8RAT which was built on 2020- ###### 308 Enable Enable Enable 08-26. ----- #### FYAntiLoader ###### Aka. DILLJUICE stage2  One of DESLoader's payloads  Fileless type multi-layer loader module  Provocative Export function name  Loads .NET Loader using CppHostCLR  Contains .NET Loader packed with ConfuserEx v1.0.0  Finally, Payload is xRAT (QuasarRAT) ----- #### Example of FYAntiLoader's payload loading flow ###### reflective fileless implants side-loading load decrypt dll injection FYAnti usoclient.exe CCFIPC64.dll msftedit.prf.coo shellcode1 embedded DLL1 Legitimate EXE Layer I Layer II Layer III load reflective decrypt dll injection CppHostCLR load decrypt msdtcuiu.adi.wdb shellcode2 embedded DLL2 .NET loader web_lowtrust.config.uninstall xRAT Layer IV FYAnti Looking for specific directory and search file ----- #### xRAT (payload of FYAntiLoader) ###### VERSION 2.0.0.0 HOSTS 45.138.157.83:443; RECONNECTDELAY 1846872 KEY [redacted] AUTHKEY [redacted] DIRECTORY Environment.SpecialFolder.ApplicationData SUBDIRECTORY Subdir INSTALLNAME Client.exe INSTALL false STARTUP false MUTEX 3n5HUTePmoGqIF8CZanamdGw STARTUPKEY Quasar Client Startup HIDEFILE false ENABLELOGGER false ENCRYPTIONKEY KCYcz6PCYZ2VSiFyu2GU TAG [redacted] LOGDIRECTORYNAME Logs HIDEDIRECTORY false Obfuscated configuration data decrypts HIDEINSTALLSUBDIRECTOR false ----- ``` 3.Characteristics of Intrusion ``` ----- #### Intrusion method in A41APT campaign ###### Internal Recon. Persistence of C2 Initial Intrusion Trace Removal Lateral Movement malware Communication Penetration via SSL-VPN Perform a port scan to search Persistence by scheduled task Communicate with C2 server Delete the event log after using vulnerabilities or stolen for open RDP or SMB port. registration to execute the via DESLoader’s payload or communication with C2 is credentials Then, connect to RDP with an legitimate PE PowerShell remoting finished. administrator account. Scheduled task registration Event log deletion C2 Server Server* **In Memory** Server DESLoader Payload ###### OR PowerShell AD Server Laptop Legitimate PE ----- #### Characteristics of Compromise ###### 1. Initial intrusion using SSL-VPN products 2. Network scanning and credential theft 3. PowerShell remoting to remove event logs 4. Persistence of malware by scheduled task ----- ###### 3-1. Initial intrusion via SSL-VPN (e.g. session hijacking) • In October 2019, an attacker used the hostname DESKTOP-A41UVJV to hijack sessions to enter the internal network via SSL-VPN product, Pulse Secure. • JPCERT also reported a similar attack targeting SSL-VPN [4]. • In some cases, attackers used credentials that they had stolen in the past intrusion. ----- ###### 3-2. Network scanning and credential theft Network scanning and RDP Credential theft ▪After the intrusion by SSL-VPN, perform ▪Run csvde.exe, a CSV export command line internal network scanning to find open port tool provided by Microsoft. RDP (3389/TCP) and SMB (445/TCP). ▪Execute AdFind provided by joeware. ▪ Use an administrator account to deploy RDP to servers with free RDP. ▪Dump of SYSTEM/SECURITY/SAM hive, etc. e.g. server types that are frequently compromised by RDP AD server File server Anti Virus management server Backup server ----- ###### 3-3. PowerShell remoting to delete event logs • Event log: the end of a PowerShell remoting session • Windows PowerShell.evtx EID: 403 • The "C2 address" and the "*.nls file name" are changed, but the rest is the same ⇒ probably common tools execution ----- ``` 3-4.Persistence of malware by scheduled task ###### ▪Registered a task scheduler that executes a legitimate executable file that loads DESLoader every 15 minutes. ▪It is unlikely that the same scheduled task name is created on the compromised hosts. ``` ----- |Scheduled Tasks|PE name| |---|---| |\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate|HybridDrive.exe| |\Microsoft\Windows\Shell\FamilySafetyMonitor|wpcmon.exe| |\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI|NAPStatus.exe| |\Microsoft\Windows\SideShow\AutoWake|AutoWake.exe| |\Microsoft\Windows\SystemRestore\SR|srtasks.exe| |\Microsoft\Windows\Shell\FamilySafetyUpload|FamilySafety.exe| |\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync|DefinitionSync.exe| |\Microsoft\Windows\UpdateOrchestrator\Refresh Settings|usoclient.exe| |\Microsoft\Windows\WindowsUpdate\AUSessionConnect|AUSession.exe| |\Microsoft\Windows\Shell\WindowsParentalControls|ParentalControls.exe| |\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan|usoclient.exe| |\Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources|DiagPackage.exe| |\Microsoft\Windows\Setup\EOSNotify|EOSNotify.exe| ###### e.g. Improperly registered scheduled tasks observed in the past Scheduled Tasks PE name \Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate HybridDrive.exe \Microsoft\Windows\Shell\FamilySafetyMonitor wpcmon.exe \Microsoft\Windows\NetworkAccessProtection\NAPStatus UI NAPStatus.exe \Microsoft\Windows\SideShow\AutoWake AutoWake.exe \Microsoft\Windows\SystemRestore\SR srtasks.exe \Microsoft\Windows\Shell\FamilySafetyUpload FamilySafety.exe \Microsoft\Windows\File Classification Infrastructure\Property Definition Sync DefinitionSync.exe \Microsoft\Windows\UpdateOrchestrator\Refresh Settings usoclient.exe \Microsoft\Windows\WindowsUpdate\AUSessionConnect AUSession.exe \Microsoft\Windows\Shell\WindowsParentalControls ParentalControls.exe \Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan usoclient.exe \Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources DiagPackage.exe \Microsoft\Windows\Setup\EOSNotify EOSNotify.exe ----- ``` 4.Threat Actor’s Infrastructure ``` ----- #### Threat Actor’s Infrastructure ###### 1. The hostname used for the intrusion via SSL-VPN 2. Characteristics of the C2 infrastructure ----- |Hostname|Observation Time| |---|---| |DESKTOP-A41UVJV|2019/10 - 2020/01| |dellemc_N1548P|2020/04 - 2020/05| |DESKTOP-LHC2KTF|2020/12| |DESKTOP-O2KM1VL|2019/10, 2020/12| |DESKTOP-V24F9JL|2020/12| ###### Hostname used for the initial intrusion via SSL-VPN ▪Tendency to use distinctive hostnames and attempt intrusions while changing IP addresses ✔Host names used in breaches observed in the past Hostname Observation Time DESKTOP-A41UVJV 2019/10 - 2020/01 dellemc_N1548P 2020/04 - 2020/05 DESKTOP-LHC2KTF 2020/12 DESKTOP-O2KM1VL 2019/10, 2020/12 DESKTOP-V24F9JL 2020/12 ▪Tendency to use an IP for intrusion that is different from the C2 server’s IP ----- ###### Characteristics of the C2 infrastructure ▪For C2, there is a tendency to use IP addresses and not to use domains. ▪From the observed C2 IP addresses, there is little bias toward country and AS, and we observed that there is a tendency not to reuse IP addresses repeatedly. ----- ``` 5.Consideration of Threat Actor’s Attribution ``` ----- #### Considerations for attribution of A41APT ###### 1. Relevance to APT10 2. Relevance to BlackTech ----- ``` 1.Relevance to APT10 ###### Common TTPs ▪ Two ways linked to APT10: - Multilayers loading ▪ Confirmed the existence of an early version of - CPPHostDLR loader SodaMaster (x86) in March 2019, which was involved - F**kYouAnti export ShellCode - Look for payloads under in an attack against Turkey and attributed to APT10 “C:\Windows\Microsoft.Net” (mentioned [5]) ▪ xRAT observed in A41APT campaign has common load TTPs with BlackBerry Cylance reports in 2019 was Common TTPs confirmed [6]. SodaMaster xRAT/QuasarRAT ``` connect MenuPass/QuasarRAT Backdoor Report ###### Run dll payload Attribute ###### Run Shellcode payload rare-coisns[.]com APT10 ----- ``` 2.Relevance to BlackTech ###### SodaMaster TSCookie ▪Identified common features between SodaMaster and TSCookie [7]. ▪The same information is collected from the compromised host in the initial stage – Username – Computer name – Current process ID ▪Observed existence of two malware, SodaMaster and TSCookie, on multiple compromised hosts ``` ----- ``` 6.Summary ``` ----- #### Wrap up:A41APT Campaign ###### ▪ Intrusion via SSL-VPN ADVERSARY ▪ Heavy usage of RDP for lateral movement (mainly servers) ▪Strong association with APT10 ▪ Abusing DLL-Sideloading ▪Potential relevance to BlackTech ▪ Remove traces CAPABILITIES INFRASTRUCTURE ▪ Targeting Japanese companies ▪ Heavy usage of IP addresses for C2 including overseas branches (no domain usage) ▪ Wide range of industries such as ▪ Less reuse of IP addresses for C2 manufacturing ----- #### Wrap up: TTPs ~MITRE ATT&CK Mapping~ ###### Tactics Techniques Initial Access External Remote Services (T1133) : Intrusion via SSL-VPN using vulnerabilities or stolen credentials Execution Command and Scripting Interpreter: PowerShell (T1059.001) Base64 obfuscated PowerShell commands (delete event log) Windows Management Instrumentation (T1047) : WMIC collects services for security products Persistence Scheduled Task/Job: Scheduled Task (T1053.005) : Privilege Escalation Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Defense Evasion Deobfuscate/Decode Files or information (T1140) Indicator Removal on Host: Clear Windows Event Logs (T1070.001) Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Credential Access OS Credential Dumping: Security Account Manager (T1003.002) OS Credential Dumping: NTDS (T1003.003) Discovery Account Discovery: Domain Account (T1087.002) Domain Trust Discovery (T1482) Software Discovery: Security Software Discovery (T1518.001) Lateral Movement Remote Services: Remote Desktop Protocol (T1021.001) Collection Archive Collected Data: Archive via Utility (T1560.001) : Compression by WinRAR ----- #### Wrap up: Features of this campaign ###### ✔ Targeting the kryptonite of EDR/FSA detection • Malware is written on the disk by the attacker's manual operation via SSL-VPN instead of malware- originated intrusion from Spear phishing email (legitimate file, loader, encrypted file) • Intrusion from group affiliates, including overseas companies • Malware is mostly placed on servers, and the number of compromised servers are very small. • Most of the malware detected in the same period have different C2 addresses, so there is little tendency to use the same samples. ✔ After the intrusion, some rough operations were seen. • Heavy usage of network discovery using RDP • Common traces deletion method of event logs ----- #### Examples of countermeasures against this campaign ###### SSL-VPN Governance(Overseas/affilates) - Framework for sharing information (Incident, Threat Intel and ###### • Implementation of MFA security situation ) ###### • Patch adaptation operation - Apply same security level ###### • Monitoring - Apply same level of detection in each intrusion method ###### End User Additional threat visibility Additional Monitoring - Audit authentication attemp of administrator account (success/failure) - Network Monitor by NTA - Monitor deletion of Windows event log - Strengthen security measures for servers - Monitor login from host that is not in list of organization asset - Hunting stealthy attack by using EDR/FSA - Monitor SSL-VPN log for suspicious login from unknown host ( e.g. - Leverage Yara rule to detect loader or payload on memory hostname is not in organization asset ) ###### Strengthen Monitoring for Authentication Vendor • Talk with end user to know white-list ( username, hostname, IP address and date/time ) of (SOC) authentication and give proactive alert to end user ----- #### on intrusion method) ###### Internal Recon. Persistence of Initial Intrusion C2 Communication Trace Removal Lateral Movement malware - Implementation of MFA - NW monitoring by NTA - Monitor the creation of - Payload detection by Yara - Monitor for traces of - Patch adaptation operation - Strengthen security measures for suspicious scheduled task - C2 identification and blocking by suspicious event log deletions. - Monitor suspicious logins from servers (EDR/FSA etc.) events. malware analysis overseas - Monitoring of administrator authentication attempt - Identify and block C2 by traces (success/failure) of suspicious PowerShell - Suspicious login monitoring from remoting in event logs hosts outside of asset management Scheduled task registration Event log deletion Event log Patch application Server C2 **In Memory** monitoring operation Server Monitoring Monitoring NTA DESLoader **OR** NTA payloads ###### MFA PowerShell ----- #### At the end... ######  A41APT campaign is very stealthy and difficult to detect, but it is not undetectable.  The compromised target has shifted from endpoint to server, and the intrusion route has also shifted from spear phishing to abusing SSL-VPN. Security measures need to be reviewed in your organization to respond to change in attack method.  By refining daily security operations and thoroughly reviewing the security holes in each organization's environment, it may be possible to detect and protect attacks from even small anomalies. ----- #### Reference ###### 1. 【緊急レポート】Microsoft社のデジタル署名ファイルを悪用する「SigLoader」による標的型攻撃を確認 https://www.lac.co.jp/lacwatch/report/20201201_002363.html 2. Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage 3. https://twitter.com/Int2e_/status/1333501729359466502?s=20 4. Attacks Exploiting Vulnerabilities in Pulse Connect Secure https://blogs.jpcert.or.jp/en/2020/04/attacks-exploiting-vulnerabilities-in-pulse-connect-secure.html 5. APT10 THREAT ANALYSIS REPORT (ADEO IT Consulting Services) https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf 6. Threat Spotlight: MenuPass/QuasarRAT Backdoor https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor 7. https://blogs.jpcert.or.jp/ja/2018/03/tscookie.html 8. A41APT case ~Analysis of the Stealth APT Campaign Threatening Japan https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf ----- #### IoCs **MD5** **File name** **Payloads** **Comment** **Path of Encrypted xRAT** f6ed714d29839574da3e368e4437eb99 usoclient.exe xRAT Legitimate EXE Microsoft.NET\test\Framework\v4.0.30319\Config\ web_lowtrust.config.uninstall dd672da5d367fd291d936c8cc03b6467 CCFIPC64.DLL xRAT DESLoader Encrypted Layer II 335ce825da93ed3fdd4470634845dfea msftedit.prf.cco xRAT **Hostname of Intruded via SSL-VPN** shellcode Encrypted Layer IV DESKTOP-A41UVJV f4c4644e6d248399a12e2c75cf9e4bdf msdtcuiu.adi.wdb xRAT shellcode dellemc_N1548P web_lowtrust.config. 019619318e1e3a77f3071fb297b85cf3 xRAT Encrypted xRAT DESKTOP-LHC2KTF uninstall DESKTOP-O2KM1VL 7e2b9e1f651fa5454d45b974d00512fb policytool.exe P8RAT Legitimate EXE be53764063bb1d054d78f2bf08fb90f3 jli.dll P8RAT DESLoader DESKTOP-V24F9JL Encrypted Layer II f60f7a1736840a6149d478b23611d561 vac.dll P8RAT shellcode **C2** **Payloads** Encrypted Layer IV 59747955a8874ff74ce415e56d8beb9c pcasvc.dll P8RAT shellcode 45.138.157[.]83 xRAT c5994f9fe4f58c38a8d2af3021028310 80f55.rec.dll SodaMaster(x86) Mem dump 037261d5571813b9640921afac8aafbe 10000000.dll SodaMaster(x86) Mem dump 151.236.30[.]223 P8RAT bca0a5ddacc95f94cab57713c96eacbf ResolutionSet.exe SodaMaster Legitimate EXE cca46fc64425364774e5d5db782ddf54 vmtools.dll SodaMaster DESLoader 193.235.207[.]59 Stager Shellcode wiaky002_CNC1755 Encrypted Layer II 4638220ec2c6bc1406b5725c2d35edc3 SodaMaster D.dll shellcode www.rare-coisns[.]com SodaMaster(x86) ----- # Any Questions? -----