APT10 targets Japanese media company with upgraded UPPERCUT

Chinese cyberespionage group APT10 has been targeting Japanese corporations using updated TTPs.

In July 2018, the threat group was spotted targeting the Japanese media sector using spearphishing emails containing malicious documents that prompted the installation of the UPPERCUT backdoor, also known as ANEL, according to a Sept. 13 FireEye blog post.

The threat actors used subject lines related to maritime, diplomatic, and North Korean issues. One of the lures that referenced North Korea used the title of an actual news article that was online. Researchers noted the threat group consistently targets the same geolocation and industry while constantly updating their malware.

Another lure referencing Guatemala was noted as having an unusual spelling of the countries name in which the top search result for the spelling, referenced the event website for the lecture of the Guatemalan Ambassador.

The newer version of UPPERCUT included significant changes in how the backdoor initializes the Blowfish encryption key which makes it harder for researchers to detect and decrypt the backdoor’s network communications.

A Microsoft Word document containing malicious VBA macro is sent in the spearphishing emails. Once opened, the macro drops three PEM files onto the victim’s folder and then copies them from the %TEMP% to the %AllUserProfile% folder, researchers said in the post.

 The macro then decodes the dropped files using Windows certutil.exe, macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities, and then launches the legitimate executable GUP.exe.

The macros then deletes the initially dropped .txt files using Windows esentutl.exe and changes the document text to an embedded message.

Researchers said this shows that APT10 is very capable of maintaining and updating their malware and that it’s possible that minor revisions were released every few months between December 2017 and May 2018.

In order to prevent attacks users are advised to disable Office macros in their settings and not to open documents from unknown sources.