A sophisticated long-term campaign infects victims in a number of multiple industries, including the Japanese manufacturing industry, with malicious code with the purpose of exfiltrating information.
The campaign is dubbed “A41APT” by Kaspersky researchers (not to be confused with APT41). The name is derived from the host name “DESKTOP-A41UVJV” on the attacker’s system.
The cybercriminals exploited vulnerabilities in Pulse Connect Secure trying to hijack VPN sessions or used system credentials stolen in previous operations. The researchers believe APT10 (aka Stone Panda or Cicada) is behind the sophisticated campaign.
First spotted in November 2020, the fresh attacks uncovered by Kaspersky took place in January 2021. The attackers use a multi-stage attack process that starts with exploiting unpatched vulnerabilities in SSL-VPN or using stolen credentials.
Central to the campaign is a malware called Ecipekac (misspelled “Cake piece” in reverse), a.k.a. DESLoader, SigLoader, and HEAVYHAND, that makes use of four files to “load and decrypt four fileless loader modules one after the other to eventually load the final payload in memory.”
The researchers observed four types of final payload implanted by the Ecipekac loader during this long-running campaign: Cobalt Strike, P8RAT, SodaMaster, and FYAnti loader for QuasarRAT.
Cobalt Strike is a well-researched penetration testing tool designed to execute targeted attacks and emulate post-exploitation actions. Its interactive post-exploit capabilities cover the full range of ATT&CK tactics.
According to Kaspersky, the main purpose of P8RAT and SodaMaster is to download payloads from an attacker-controlled server and deploy them on the victim’s Windows machine. However, Kaspersky’s investigators couldn’t determine the exact malware delivered on target systems.
The fourth payload, FYAnti, is a multi-layer loader module that deploys a final-stage remote access Trojan known as QuasarRAT, or xRAT.
Kaspersky called the operations and payloads of the campaign “remarkably stealthy, making it difficult to track the threat actor’s activities. Suguru Ishimaru concluded, “the most significant aspect of the Ecipekac malware is that, apart from the large number of layers, the encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the digital signature. When this technique is used, some security solutions cannot detect these implants.”