apt attack

A41APT – APT Attacks Against Japan

Introduction

Researchers discovered a cyber espionage campaign targeting Japanese companies at home and abroad, and in multiple industries including manufacturing. The aimed to steal targeted information.

Since the attacker used the hostname “DESKTOP-A41UVJV” in the first stage, the Group was named ” “. Researchers have been monitoring and tracking the from March 2019 to November 2020 and found that the Group’s attack technology is on a constantly changing topic and used a variety of new types of malware, such as SodaMaster (called DelfsCake, dfls and HEAVYPOT), P8RAT (called GreetCake), DESLoader (called SigLoader) and FYAntiLoader, and can run more than 80 samples.

There is very little public information about the attack activities of the Group. Through analysis, it is found that the Group is highly concealed during its operations and it is difficult to detect it. The Group’s intrusion process is shown in the following figure:

clip_image001

Through observation, it was found that the Group used two hostnames, namely “DESKTOP-A41UVJV” and “dellemc_N1548P”, and there was no obvious bias in the C2 infrastructure, and there was a tendency not to reuse IP addresses.

clip_image002

At present, it has been discovered that there are two suspected belongings of Groups, namely APT10 and BlackTech . According to the target and the tactics used, it is more likely to belong to APT10.

IOCs

45.138.157[.]83
151.236.30[.]223
193.235.207[.]59
88.198.101[.]58


www.rare-coisns[.]com

f6ed714d29839574da3e368e4437eb99
dd672da5d367fd291d936c8cc03b6467
335ce825da93ed3fdd4470634845dfea
f4c4644e6d248399a12e2c75cf9e4bdf
019619318e1e3a77f3071fb297b85cf3
7e2b9e1f651fa5454d45b974d00512fb
be53764063bb1d054d78f2bf08fb90f3
f60f7a1736840a6149d478b23611d561
59747955a8874ff74ce415e56d8beb9c
c5994f9fe4f58c38a8d2af3021028310
037261d5571813b9640921afac8aafbe
bca0a5ddacc95f94cab57713c96eacbf
cca46fc64425364774e5d5db782ddf54
4638220ec2c6bc1406b5725c2d35edc3
d37964a9f7f56aad9433676a6df9bd19
876aa155f3c93d898641b85b646fbea82790007c
5ff34bc393080a66596971bae11f78739b35c3a1
48152eeb1d74a84ba86b34f419cf1c7a105e41ff
e74affd6c766156e3fe803917f28da08fe7000ef
98541aec1178e9785a708e05805ab2d9f82b5c72
69879da5c7e182a91273bd2afb575160846b408d
dd4179e30892e616386219775fe1912728466659
0af8b51e9acc098cb21619d95126a77398ffd12e
1d13221e7778394e845d61f1ab71129134f6a7b50a83dad7d78ffece277714ee
1d8579e2bba6c334f1ac6fcd9e54dca8ca098a756848b63d809209f0636b3a16
ca9bcf268330a4fffcec025920514e0071651c35895b15b2f1dab8813c8b8e99
9d6e14cd244f6c49e11d2b47f12116b5848aaed7a6aaa218fb023b33f7c12a3b
bd5de5961f0efaa1473a822a86d53d2bfcedbfc6bd11cea65ff8e128b934a271
08eaef6be41244bce8fdc908bee03ec7549197f4fcd7dd0da90a5c14f67e4c4b
69adaf19cc19594e0193da88597b6af886f1c0e148ad980fa0fe3f9250d52332
8ef94327cab01af04a83df86a662f3abe9ae35aa1084eff7273d8292941bebdb