The Chinese team hackers, known as APT10, uses two new malware loaders and new versions of known payloads to launch attacks on governmental and private organizations in Southeast Asia.
The APT10 team appeared in 2009. Since then, he has done several things attacks. In April of 2017, some security experts unveiled a big hacking campaign, known as Operation Cloud Hopper. The campaign targeted many agencies and companies around the world.
In July of 2018, FireEye detected new attacks by the APT10 team, where hackers were sending phishing emails to company employees who contained puzzled Word files to install UPPERCUT backdoor victims' systems.
In September of 2018, APT10 hackers organized a campaign targeting the Japanese media. However, the researchers from FireEye managed to discover it and block it.
Recent attacks by the APT10 team took place in April of 2019 and were identified by researchers enSilo. Researchers have found that hackers have used modified versions of known malware.
Experts linked the April attacks with the Chinese espionage team, as the two variants of loaders and payloads, analyzed, use similar Tactics, Techniques, Procedures (TTPs). They also use code associated with APT10.
The two loaders carry different payloads to the victims, however, both variants install the following files:
jli.dll - malicious DLL file
msvcrt100.dll - Legal Microsoft Runtime DLL
svchost.bin - binary file
Both variants serve various payloads, including PlugX and Quasar RAT, which allow remote access to systems.
According to surveys, the payloads used by hackers in their latest attacks are still under development.
Experts conclude that although the two variants of the loader have some differences, however, they use the same decryption and transmission mechanism of the malicious code.
More technical details from enSilo.