Earlier on Tuesday, Cybersecurity researchers discovered hackers deploy malicious backdoors to target industrial sector in Japan.
According to Kaspersky researchers, “A41APT” also known as Stone Panda or Cicada attacks are being carried out. These are carried out using previously undocumented malware to deliver as many as three payloads of SodaMaster, P8RAT, and FYAnti.
The activities of the hackers were spotted back in March 2019 and most recently in November 2020. Reports back then suggested the bad actors were targeting companies with links to Japan in nearly 17 regions across the globe.
Kaspersky’s findings suggest similar attacks occurred in January 2021, where the malware leverages a multi-stage attack process. The initial intrusion takes place with the abuse of the SSL-VPN by exploiting unpatched vulnerabilities or stolen credentials.
Ecipekac malware is used in the campaign, it averses a four-layer “complicated loading schema”. This is achieved by making use of four files to “load and decrypt four fileless loader modules one after the other to eventually load the final payload in memory.”
Kaspersky’s further investigations reveal the main purpose of P8RAT and SodaMaster is to download and execute payloads retrieved from an attacker-controlled server. Though the investigation does not reveal the clues to the exact malware used to target Windows systems.
FYAnti, yet another payload used by the hackers, is a multi-loader module in itself. It goes through two more successive layers to deploy a final-stage remote access Trojan known as QuasarRAT (or xRAT).
Suguru Ishimaru, Kaspersky researcher said
The operations and implants of the campaign … are remarkably stealthy, making it difficult to track the threat actor’s activities. The main stealth features are the fileless implants, obfuscation, anti-VM ,and removal of activity tracks.”