Picus Threat Library Updated for A41APT Campaign of the APT10 (menuPass) APT Group

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the A41APT espionage campaign of the APT10 (also known as Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, and Potassium)  Advanced Persistent Threat (APT) Group, operating since 2006. AP10 is believed to be a part of the Tianjin bureau of the Chinese Ministry of State Security [1]. APT10 has mainly targeted 30+ countries in Asia, Europe, North America, and Africa. The majority of the group's targets are in government, defense, energy, financial, aerospace, healthcare, telecommunications, and MSPs. APT10 utilizes a bunch of tools in its attack campaigns, including BloodHound, China Chopper, Cobalt Strike, Derusbi, Mimikatz, PowerSploit, PowerBiew, pwdump, ShaspSploit, PsExec, and certutil.

A41APT Espionage Campaign

A41APT is a long-running espionage campaign with activities detected from March 2019 [2]. Most of the used malware families in this campaign are fileless malware that have not been discovered before. The delivered payloads are SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti.

Picus Labs has updated the Picus Threat Library with the following malware used in the A41APT of the APT10 threat group:

Picus ID

Threat Name

623353

P8RAT Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-1

775198

Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-1

874874

Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-3

367130

Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download 

The main function of P8RAT is downloading payloads consisting of PE or shellcode from its C2 service and running these payloads.P8RAT also looks for VBoxService.exe and vmtoolsd.exe processes to determine whether the infected environment is a virtual machine or a physical machine. 

Another payload is SodaMaster that downloads malicious DLLs or shellcode and executes the downloaded payloads like P8RAT.

Other Threats of Mustang Panda in Picus Threat Library

Picus Threat Library consists of 44 threats of the APT10 (menuPass) threat group, including:

  • APT10 Threat Group Attack Scenario
  • ChChes Trojan used by menuPass (Stone Panda) APT Campaign 
  • Redleaves RAT Malware used in menuPass Campaign 
  • PlugX (Korplug) RAT used by menuPass (Stone Panda) APT 
  • Poison Ivy (PIVY) RAT used by menuPass (Stone Panda) APT

 MITRE ATT&CK Techniques used by Mustang Panda

  • T1133 External Remote Services
  • T1078 Valid Accounts
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1053.005 Scheduled Task/Job: Scheduled Task
  • T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
  • T1574.002 Hijack Execution Flow: DLL Side-Loading
  • T1078 Scheduled Task/Job: Scheduled Task
  • T1070.003 Indicator Removal on Host: Clear Command History
  • T1036 Masquerading
  • T1497.001 Virtualization/Sandbox Evasion: System Checks
  • T1057 Process Discovery
  • T1082 System Information Discovery
  • T1012 Query Registry
  • T1210 Exploitation of Remote Services
  • T1071.001 Application Layer Protocol: Web Protocols
  • T1132.002 Data Encoding: Non-Standard Encoding

References

[1] https://www.fbi.gov/wanted/cyber/apt-10-group
[2] https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

 

Subscribe

Keep up to date with latest blog posts