New Delhi, April 10: Raising an alarm for the IT service providers and manufacturing companies in India, US-based cyber security group FireEye has claimed that a new set of tools is being used by Chi-based cyber espioge group APT10 to steal confidential business data from domestic firms to support Chinese corporations. FireEye has been tracking APT10 since 2009 and they have historically targeted construction, engineering, aerospace, telecom firms and governments in the US, Europe and Japan. “IT services have been a core engine of India’s economic growth, with service providers here scaling the value chain to mage business-critical functions of top global organisations. Campaigns like this highlight risks which all organisations should factor into their operations,” said Kaushal Dalal, Maging Director, FireEye, India, in a statement on Monday.
APT10 activity has included both traditiol spear phishing and access to victim’s networks through service providers. Service providers have significant access to customer networks, ebling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer.
“Targeting of these industries has been in support of Chinese tiol security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations,” said FireEye in an earlier blog post.
In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. APT10 unveiled new tools in its 2016/2017 activity. “HAYMAKER” and “SNUGRIDE” have been used as first-stage backdoors, while “BUGJUICE” and a customised version of the open source “QUASARRAT” have been used as second stage backdoors. These new pieces of malware show that APT10 is devoting resources to capability development and innovation. HAYMAKER is a backdoor that can download and execute additiol payloads in the form of modules. BUGJUICE, also a backdoor, executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the biry, which is decrypted and runs the fil BUGJUICE payload.
BUGJUICE defaults to TCP using a custom biry protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. (IANS)