After closely monitoring the activities of the infamous cyberespionage group, Kaspersky has detected new infection attempts from APT10 against organisations located in the Southeast Asia region. The global cybersecurity company has monitored new wave of attacks potentially targeting health and medical facilities in Malaysia between October to December last year and Vietnam between February to May 2019.
The malware used in the two countries is different from the known tricks APT10 is known for, but the goal remains the same – to steal credentials and confidential information from the infected machines.
“We have been monitoring several operations of APT10, particularly in Japan where they caused information leakage and serious reputational damage. They are known in the industry for their stealthy and large-scale cyber espionage campaigns, always hungry for confidential information and even trade secrets. Now they are extending their geography of attack towards Southeast Asia, potentially setting eyes on some medical organisations and associations in Malaysia and Vietnam,” reveals Suguru Ishimaru, a security researcher at Kaspersky.
APT10 — also known as MenuPass, StonePanda, ChessMaster, Cloud Hopper, and Red Apollo — is known for several high-profile attacks against different industries, including information and technology, government and defence, telecommunications, academic, medical, healthcare and pharmaceutical since 2009.
Back in December last year, a report from PwC revealed that the alleged nation-backed group has successfully infected key MSP (managed service provider) companies such as Hewlett Packard Enterprise Co and IBM. Through this breach, the actors have stolen sensitive corporate data from the affected firms’ clients. Among the alleged targets were Australian corporations.
The group is widely known in the cybersecurity industry as a Chinese-speaking cyberespionage group. While their target sectors have been changing since their first known attack, their goal to steal important information including confidential data, defence intelligence, and corporate secrets remains unchanged.
APT10 using trial and error to covert operations
APT10 is known for using multiple types of RATs or remote access Trojans in the past, including Poison Ivy, PlugX, ChChes, Redleaves, and more.
Kaspersky in 2017 has detected PlugX malware in pharmaceutical organisations in Vietnam to steal precious drug formulas and business information. This malware is usually spread via spear phishing and has previously been used by other Chinese-speaking actors in targeted attacks against the military, government and political organisations.
In terms of its malicious activities in Japan, the notorious APT10 used Redleaves, a fileless malware which runs only in memory, and its variants from October 2016 to April 2018. Kaspersky researchers have discovered 120+ malicious modules of Redleaves and its variants like Himawari and Lavender.
In Himawari samples, researchers found medical terminology as well as decoy documents related to medical, healthcare, and pharmaceuticals organisations. All samples of targeting medical industries detected were also password-protected, halting researchers in conducting further analysis.
“In April 2018, we have observed a new trick being used by APT10 – Zark20rk. It is another variant of Redleaves but the hackers behind this group updated some crypto algorithms, data structure, and malware features adding some key strings related to Russia. Based on their behavioural patterns, we can say this is another false flag planted to confuse researchers monitoring their movements,” explains Ishimaru.
For the attacks potentially against healthcare organisations in Malaysia and Vietnam, Kaspersky unmasked that the group has changed its main RAT from Redleaves to a well-known backdoor called ANEL. ANEL usually starts with an infected word document containing VBA macro to infect ANEL modules.
To further hide their actions, APT10 embedded someanti-AV and anti-reversing methods in ANEL and its modules such as strong obfuscations for anti-reversing, DLL side-loading for AV-evasion, multiple encryptions for malware configuration and communication to C2s (command and control servers), as well as fireless malware which is executed only in memory like Redleaves.
“With password-protected attachments, complicated obfuscations, evolving evasion tricks, and encrypted modules using multiple algorithms, APT10 is undoubtedly paying a lot of attention on how they conduct their attacks. Through trial and error, they are in search for the best technique to infect their specific targets. And based on the results of our investigation and the pattern of their attack behaviour, medical and healthcare industry are definitely well within the radar of this group,” he adds.
Healthcare’s defence against APT10
Given the sophisticated nature of APT 10’s techniques, Kaspersky suggests healthcare companies to consider getting security solutions beyond anti-virus, preferably a solution built around a Machine Learning core (Targeted Attack Analyzer) which combines advanced detection capabilities using static, behavioural, cloud reputation, sandboxing, YARA and pattern-based detection engines.
Real-time and comprehensive threat intelligence services are also necessary to build an organisation’s immunity against unseen cyberattacks. Such service will give a 360-degree view of tactics and tools used by past and current are known threat actors, making it easier to prevent and detect complex attack attempts.