Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 13,656
Threads: 9,193
Thanks Received: 8,903 in 7,059 posts
Thanks Given: 9,584
Joined: 12 September 18
#1
Bug  31 March 21, 13:12
Quote:
[Image: sl_abstract_binary_wave-1200x600.jpg]

Why is the campaign called A41APT?

In 2019, we observed an APT campaign targeting multiple industries, including the Japanese manufacturing industry and its overseas operations, that was designed to steal information. We named the campaign A41APT (not APT41) which is derived from the host name “DESKTOP-A41UVJV” from the attacker’s system used in the initial infection. The actor leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions, or took advantage of system credentials that were stolen in previous operations.

A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. One particular piece of malware from this campaign is called Ecipekac (a.k.a DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti (a.k.a DILLJUICE stage2) which loads QuasarRAT.

In November and December 2020, Symantec and LAC both published blogposts about this campaign. A month later, we discovered new activities from A41APT that utilized modified and updated payloads, and that’s what we cover in this blog.

In February 2021, a GReAT security expert and his friends gave a presentation on the A41APT campaign at the GReAT Ideas event. You can download the slides here. Further information about A41APT is available to customers of the Kaspersky Intelligence Reporting service. Contact intelreports@kaspersky.com

Technical analysis: Ecipekac

We observed a multi-layer x64 loader used exclusively by this actor and dubbed Ecipekac after a unique string found in the second layer of the Ecipekac loader. The string is “Cake piece” in reverse (with a typo).

Ecipekac uses a new, complicated loading schema: it uses the four files listed below to load and decrypt four fileless loader modules one after the other to eventually load the final payload in memory.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Kaspersky 21.19.7.527b
Kaspersky 21.19.7....harlan4096 — 09:53
AdGuard Browser Extension 5.0.170 (MV3)
AdGuard Browser Ex...harlan4096 — 09:51
Vivaldi 7.0 Build 3495.18
Vivaldi 7.0 Build ...harlan4096 — 09:50
Brave Search introduces AI follow-up que...
I have used Brave ...harlan4096 — 09:49
Microsoft accused of Malware-like Bing W...
Microsoft released...harlan4096 — 09:48

[-]
Birthdays
Today's Birthdays
avatar (56)Stefanos
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>