Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT10. Show all posts

How the SYS01 Campaign Uses Multiple Evasion Tactics to Avoid Detection in Cyber Espionage


Multiple Malware Families: The Primary Evasion Tactic of the SYS01 Campaign

In the world of cybersecurity, it is not uncommon for attackers to use multiple tactics to evade detection and carry out their malicious activities. The SYS01 campaign is a prime example of this. This campaign is known for using multiple attack evasion tactics to stay under the radar and avoid detection. In this blog post, we will explore the various tactics used by the SYS01 campaign and how they contribute to the campaign's success.

Firstly, let's understand what the SYS01 campaign is. The SYS01 campaign is a cyber espionage campaign that has been active since at least 2013. The campaign primarily targets government and military organizations in Southeast Asia, specifically in the Philippines, Taiwan, and Vietnam. The attackers behind the campaign are believed to be a Chinese state-sponsored group known as APT10.

One of the primary attack evasion tactics used by the SYS01 campaign is the use of multiple malware families. Rather than relying on a single malware family to carry out their attacks, the attackers use a variety of different malware families. This makes it much more difficult for defenders to detect and block the attacks, as they need to be aware of and able to detect multiple different types of malware.

Unseen and Unheard: The Use of Fileless Malware and Steganography

Another tactic used by the SYS01 campaign is the use of file-less malware. Fileless malware is a type of malware that does not rely on files or executables to carry out its activities. Instead, it operates entirely in memory, making it much more difficult to detect and remove. The attackers behind the SYS01 campaign use file-less malware to avoid leaving a trail of evidence on the victim's system.

The SYS01 campaign also uses steganography to conceal its activities. Steganography is the practice of hiding information within another file, such as an image or document. The attackers use steganography to hide their malware within benign files, making it more difficult for defenders to detect the malware.

In addition to these tactics, the SYS01 campaign also uses advanced obfuscation techniques to make their malware more difficult to analyze. For example, the attackers may use code obfuscation techniques to make it more difficult for analysts to understand the code and how it works. They may also use encryption to protect the malware from the analysis.

The Art of Obfuscation: How the SYS01 Campaign Makes Malware Analysis More Difficult

Another evasion tactic used by the SYS01 campaign is the use of spear-phishing attacks. Spear-phishing is a targeted phishing attack that is designed to trick a specific individual into providing sensitive information or installing malware. The attackers behind the SYS01 campaign use spear-phishing attacks to target specific individuals within their target organizations, making it more difficult for defenders to detect the attacks.

Finally, the attackers behind the SYS01 campaign use command-and-control (C2) servers that are difficult to detect and block. C2 servers are used by attackers to communicate with their malware and control it remotely. The SYS01 campaign uses C2 servers that are located in countries that have lax cybersecurity laws and regulations, making it more difficult for defenders to block the traffic to these servers.

In conclusion, the SYS01 campaign is a prime example of how attackers use multiple tactics to evade detection and carry out their malicious activities. The campaign uses multiple malware families, fileless malware, steganography, obfuscation techniques, spear-phishing attacks, and difficult-to-detect C2 servers to avoid detection and stay under the radar. Defenders need to be aware of these tactics and have the tools and knowledge to detect and block them to protect their organizations from these types of attacks.

Threat Actors Exploit Antivirus Software to Launch LOADINFO Malware, Target Entities in Japan


APT10 uses LOADINFO malware to attack Japanese Organizations

The Chinese Cicada hacking group, known as APT10, was found exploiting security software to deploy a new variant of the LODEINFO malware against Japanese companies. 

The victim organizations include media groups, government, and public sector organizations, think tanks, and diplomatic agencies in Japan, all lucrative targets for cyberespionage. 

As per Kaspersky analysts who have been keeping tabs on APT10's operations in Japan since 2019, the malicious actors are continuously advancing their exploitation techniques and custom backdoor, 'LODEINFO,' to make it difficult for experts to detect. 

Kaspersky published two reports, one showing APT10's exploit chain tactics and the second highlighting the evolution of LODEINFO.

Exploiting security software

The hunt started in March 2022, Kaspersky found that APT10 cyberattacks in Japan started using a new infection vector, consisting of a spear-phishing mail, a self-extracting (SFX) RAR file, and exploiting a DLL side-loading vulnerability in security software. 

The RAR archive consists of the legitimate K7Security Suite Software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is run, it will try to deploy the genuine K7SysMn1.dll file that is usually present in the software suite. 

However, the executable will not look for the DLL in a specific folder and therefore permits malware developers to make a malicious DLL using the same name as K7SysMn1.dll.

If the infected DLL is kept in the same folder as the genuine executables, after launching, the executable will deploy the malicious DLL, containing LODEINFO malware. 

Because the malware is side-loaded using an authentic security app, other security software may not find it malicious. 

The Kaspersky report said: 

"K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary. These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key."

New LOADINFO

The malware developers launched six new variants of LODEINFO in 2022, the most recent being vo.6.7, launched in September 2022. 

APT10's Japan-attacking operations are marked by the expansion of targeted platforms, constant evolution, stealthy infection chains, and better escape. 

Other recent unfounded operations related to APT10 consist of a campaign attacking Middle Eastern and African governments via stenography and another exploiting VLC to launch custom backdoors.