A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.
The group is known as menuPass, Stone Panda and APT10, and it has been active since at least 2009. The actor initially targeted defense contractors in the United States and elsewhere, and since 2014 it has also attacked organizations in Japan.
menuPass is known for using PlugX and PoisonIvy, which have been observed in campaigns launched by several actors. However, a recent menuPass operation, which took place between September and November 2016, involved a new Trojan, dubbed ChChes, that is unique to this group.
The recent operation targeted Japanese academics working in various scientific fields, a Japanese pharmaceutical company, and a US-based subsidiary of a Japanese manufacturing firm. The attacks started with spear-phishing emails that came from spoofed addresses, including of the Sasakawa Peace Foundation and the White House.
One clue that linked ChChes to other tools used by menuPass was a shared import hash. However, experts also discovered connections in the infrastructure used in the recent and older attacks.
ChChes was disguised as a Word document and it was signed using a certificate from Italian spyware maker Hacking Team. The certificate was leaked when the company was hacked in July 2015, but it had been revoked long before the latest menuPass attacks. Researchers believe attackers may have used it in an effort to make attribution more difficult.
In addition to collecting information about the infected system, ChChes has modules that help it encrypt communications, execute shell commands, upload and download files, and load and execute DLLs, according to an analysis conducted by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC).
Palo Alto Networks believes ChChes is only used to download other malware onto infected computers, especially since it does not have a persistence mechanism.
“In a successful intrusion, it may be only a first stage tool used by the attackers to orient where they landed in a network, and other malware will be deployed as a second stage layering for persistence and additional access as the attackers move laterally through a network,” researchers said in a blog post.