The reputed Chinese state-sponsored threat group APT10 appears to be the culprit behind a campaign this past April that sought to distribute PlugX and Quasar RAT malware via one of two newly discovered downloader variants.
Researchers from enSilo uncovered the campaign after samples were collected from one or more targets based in the Philippines.
PlugX and Quasar are both malicious remote administrative tools with past ties to APT10. The group, which also goes by Stone Panda and a multitude of other nicknames, is known to have specifically developed PlugX.
The version of PlugX observed in this campaign operates much like older iterations, in that it collects information on infected machines and is highly modular in nature, allowing for plug-ins that enable compression and encryption, file interaction, remote shell operations and more.
A May 24 company blog post authored by enSilo Intelligence Team researcher Ben Hunter notes that the variant is particularly similar to a past version known as Paranoid PlugX, adding that the malware is programmed to kill McAfee’s email proxy service while removing any keys, files and directories related to said service.
Meanwhile, the Quasar RAT example spotted in this campaign consisted of a modified version that includes the SharpSploit .NET post-exploitation library. The attackers can use this framework's mimikatz capabilities to steal passwords from infected machines, enSilo explains.
The two newly discovered downloaders both abuse the legitimate executable jjs.exe, a Java virtual machine-based implementation of a javascript engine, in order to deliver a malicious file via DLL sideloading. The file, jli.dll, then maps a dropped binary file called "svchost.bin" to memory and decrypts it into a shellcode that contains the primary payload. This shellcode is injected into the Windows process svchost.exec.
Variant 1 is confirmed to deliver both PlugX and Quasar, while Variant 2 has been observed distributing PlugX only. The key difference between the two variants is how each establishes persistence. "The first variant uses a service as its persistency method," Hunter states in the blog post. "It installs itself (jjs.exe) as the service and starts it. When running in the context of the service it performs the decryption and injection..."
In contrast, Variant 2 instead "uses the Run registry key for the current user under the name "Windows Updata" to ensure its persistency rather than installing a service," Hunter continues.
Hunter also notes that the campaign used command-and-control servers based in South Korea, and made use of typosquatting domain names that impersonated the domains of legitimate tech companies. Researchers have seen both of these behaviors before in older APT 10 campaigns, according to enSilo.
