The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda
Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.
The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.
Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .
Third-stage DLL has an export named “FuckYouAnti”
Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly
.NET Loader is obfuscated with ConfuserEx v1.0.0
Final payload is QuasarRAT—an open source backdoor used by Cicada in the past
It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure