FireEye researchers spotted a new group of tools used by the infamous APT10 group that was responsible for the infamous Cloud Hopper campaign among other high profile attacks.
During the groups 2016/2017 cyberespionage activities the group revealed a set of unique tools believed to be unique to the threat group including several backdoors and an open-source remote access trojan (RAT, according to an April 6 blog post).
“They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan,” researchers said in the post. “We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations.”
The backdoors include HAYMAKER, a backdoor that can download and execute additional payloads in the form of modules, BUGJUICE a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll (Dynamic-link library) into it, and SNUGRIDE, a backdoor that communicates with its C2 server through HTTP requests.
Researchers said the group's recent activity included both traditional spearphishing tactics as well as access to victim's networks through service providers.
The group will likely slow down its attacks following the public disclosure of the groups Cloud Hopper campaign and the vulnerabilities it exploited but researchers expect the group will return to their large scale operations potentially employing new tactics, techniques and procedures the report said.
The group has also been spotted shifting towards the use of bespoke malware and customized open-source tools indicating an increase in sophistication.
APT10 has targeted firms in countries across the globe and was even linked to the 2015 US Office of Personnel Management (OPM) breach. The Chinese APT group also targeted representatives from private-sector companies who registered for a National Foreign Trade Council meeting last month.
The campaign was dubbed “Operation TradeSecret” involved injecting a malicious link into specific pages on the NFTC's website, including the registration page for a March 7 board of directors meeting in Washington D.C.