Cybersecurity researchers on Tuesday unveiled details of a sophisticated campaign that uses malicious trunk roads for the purpose of extracting information from a number of industry sectors based in Japan.
Called “A41APT” by Kaspersky researchers, the findings investigate a new slaughter of attacks made by APT10 (aka Stone Panda or Cicada) using previously undocumented hardware to supply as much as three payloads like SodaMaster, P8RAT, and FYAnti.
The long-standing intelligence gathering operation first emerged in March 2019, with activities seen as late as November 2020, when reports emerged that Japanese-related companies were being targeted by the threat actor in over 17 regions worldwide.
The fresh attacks revealed by Kaspersky are said to have occurred in January 2021. The infection chain leverages a multi-stage attack process, with the initial intervention occurring through SSL-VPN abuse by exploiting unmatched vulnerabilities or stolen credentials.
At the heart of the campaign is malware called Ecipekac (“cake piece” on the contrary, but with a typo) that crosses a four-layer “complex loading schema” by using four files to “load and decrypt four modules” fileless loader one after the other to load the final payload in the eventual memory. “
While the primary purpose of P8RAT and SodaMaster is to download and execute recovered payloads from an attacker-controlled server, the Kaspersky investigation has not yielded any clues as to the exact malware provided on target Windows systems.
Interestingly, the third payload, FYAnti, is a multi-layered loader module in itself that goes through two successive layers to use a final-stage remote access Troa timber called QuasarRAT (or xRAT) .
“The operations and implants of the campaign … are remarkably stealthy, making it difficult to track the activities of the threat actor,” said Kaspersky researcher Suguru Ishimaru. “The main stealth features are fileless implants, obfuscation, anti-VM, and removal of activity tracks.”