In July 2018, FireEye devices detected and blocked what appears to
be APT10 (Menupass) activity targeting the Japanese media sector.
APT10 is a Chinese cyber espionage group that FireEye has tracked
since 2009, and they have a history oftargeting
Japanese entities
.In this campaign, the group sent spear phishing emails containing
malicious documents that led to the installation of the UPPERCUT
backdoor. This backdoor is well-known in the security community as ANEL ,
and it used to come in beta or RC (release candidate) until recently.
Part of this blog post will discuss the updates and differences we
have observed across multiple versions of this backdoor.
Attack OverviewThe attack starts with Microsoft Word documents containing a
malicious VBA macro being attached to spear phishing emails. Although
the contents of the malicious documents are unreadable (see Figure 3),
the Japanese titles are related to maritime, diplomatic, and North
Korean issues. Table 1 shows the UPPERCUT indicators of compromise (IoCs).
File Name
MD5
Size
C2
自民党海洋}虾