APT10 targets Japanese entities. Purple Fox gets an upgrade. Android malware poses as system update.

At a glance.

  • APT10 targets Japanese entities.
  • Purple Fox gets an upgrade.
  • Android malware poses as system update.
  • Vulnerable mobile apps.

APT10 targets Japanese entities.

Kaspersky describes a cyberespionage campaign that ran from March 2019 to the end of December 2020. The campaign targeted Japan and entities related to Japan, particularly the country’s manufacturing industry. The researchers “assess with high confidence” that China’s APT10 is behind the operation. The threat actor gained access by exploiting vulnerabilities in Pulse Connect Secure VPNs or by using previously stolen credentials.

Kaspersky says the actor used a unique loader dubbed “Ecipekac” to deliver fileless malware. The researchers explain, “This campaign introduced a very sophisticated multi-layer malware named Ecipekac and its payloads, which include different unique fileless malware such as P8RAT and SodaMaster. In our opinion, the most significant aspect of the Ecipekac malware is that, apart from the large number of layers, the encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the digital signature. When this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe that these modules are downloaders responsible for downloading further malware that, unfortunately, we have not been able to obtain so far in our investigation.”

Purple Fox gets an upgrade.

Guardicore is tracking a malware campaign dubbed “Purple Fox” that’s recently added a new propagation method. The malware was discovered in 2018, and would spread via exploit kits and phishing emails. In late 2020, however, the malware operators began gaining access by brute-forcing exposed SMB services:

“While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in previously published articles. Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware,…