Dubbed “A41APT” by Kaspersky researchers, sophisticated campaign to targetting japan industrial sector, the findings delve into a new slew of attacks undertaken by APT10 using previously undocumented malware to deliver as many as three payloads such as SodaMaster, P8RAT, and FYAnti.
The reports emerged of Japan-linked companies being targeted by the threat actor in over 17 regions worldwide.The infection chain leverages a multi-stage attack process, with the initial intrusion happening via abuse of SSL-VPN by exploiting unpatched vulnerabilities or stolen credentials.
Center to the campaign is a malware called Ecipekac (“Cake piece” in reverse) that traverses a four-layer “complicated loading schema” by making use of four files to “load and decrypt four fileless loader modules one after the other to eventually load the final payload in memory.”
While the main purpose of P8RAT and SodaMaster is to download and execute payloads retrieved from an attacker-controlled server,
The third payload, FYAnti, is a multi-layer loader module in itself that goes through two more successive layers to deploy a final-stage remote access Trojan known as QuasarRAT (or xRAT). It stealthy and difficult to track the activities