Researchers discovered a cyber espionage campaign targeting Japanese companies at home and abroad, and in multiple industries including manufacturing. The attackers aimed to steal targeted information.
Since the attacker used the hostname “DESKTOP-A41UVJV” in the first stage, the Group was named ” A41APT “. Researchers have been monitoring and tracking the A41APT from March 2019 to November 2020 and found that the Group’s attack technology is on a constantly changing topic and used a variety of new types of malware, such as SodaMaster (called DelfsCake, dfls and HEAVYPOT), P8RAT (called GreetCake), DESLoader (called SigLoader) and FYAntiLoader, and can run more than 80 samples.
There is very little public information about the attack activities of the A41APT Group. Through analysis, it is found that the Group is highly concealed during its operations and it is difficult to detect it. The Group’s intrusion process is shown in the following figure:
Through observation, it was found that the Group used two hostnames, namely “DESKTOP-A41UVJV” and “dellemc_N1548P”, and there was no obvious bias in the C2 infrastructure, and there was a tendency not to reuse IP addresses.
At present, it has been discovered that there are two suspected belongings of A41APT Groups, namely APT10 and BlackTech . According to the target and the tactics used, it is more likely to belong to APT10.