The Chinese-language cyber-espionage group known as APT10 has apparently added to its malware bag of tricks, with two never-before-seen malware loader variants used in April campaigns against government and private organizations in Southeast Asia.
Also, the campaigns featured modified versions of known payloads, according to enSilo.
“Both of the loader’s variants and their various payloads that we analyzed share similar tactics, techniques and procedures (TTPs) and code associated with APT10,” said Ben Hunter, a researcher with the enSilo Intelligence Team, in a
Friday analysis of the code.
Both variants drop a legitimate JVM-based implementation of a JavaScript engine (jjs.exe), which is then twisted via a method known as DLL side-loading, to serve as a loader for the final payloads, which include PlugX and Quasar remote access trojan (RAT).
“The loader starts out by running a legitimate executable, which is abused to load a malicious DLL instead of a legitimate one which it is depended on,” Hunter explained.
The malicious library (jli.dll) maps a data file, svchost.bin, to memory and decrypts it. The decrypted content is a shellcode that is injected into svchost.exe and contains the actual malicious payload.
