Why is the campaign called A41APT?

In 2019, we observed an APT campaign targeting multiple industries, including the Japanese manufacturing industry and its overseas runnings, that was designed to steal information. We named the campaign A4 1APT( not APT4 1) which is derived from the host name “DESKTOP-A41UVJV” from the attacker’s system used in the initial infection. The actor leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions, or took advantage of system credentials that were stolen in previous operations.

Log of the hijacking VPN session from DESKTOP-A4 1UVJV

A4 1APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been visualized before. One particular part of malware from education campaigns is called Ecipekac( a.k.a DESLoader, SigLoader, and HEAVYHAND ). It is a very sophisticated multi-layer loader module used to deliver warheads such as SodaMaster( a.k.a DelfsCake, dfls, and DARKTOWN ), P8 RAT( a.k.a GreetCake, and HEAVYPOT) and FYAnti( a.k.a DILLJUICE stage2) which loadings QuasarRAT.

In November and December 2020, Symantec and LAC both published blogposts about this campaign. A month later, we discovered new activities from A41APT that utilized modified and updated payloads, and that’s what we encompas in this blog.

In February 2021, a GReAT security expert and his friends made a presentation on the A41APT campaign at the GReAT Ideas event. You can download the slides here. Further information about A4 1APT is available to customers of the Kaspersky Intelligence Reporting service. Contact intelreports @kaspersky. com

Technical analysis: Ecipekac

We observed a multi-layer x6 4 loader used exclusively by this actor and dubbed Ecipekac after a unique string found in the second layer of the Ecipekac loader. The string is “Cake piece” in reverse( with a typo ).

The hardcoded unique string “ecipekac”

Ecipekac employs a new, complicated loading schema: it uses the four files listed below to load and decrypt four fileless loader modules one after the other to eventually load the final warhead in memory.

Ecipekac infection flow

The files are 😛 TAGEND

Filename MD5 Hash Description policytool.exe 7e2b9e1f651fa5454d45b974d00512fb Legitimate exe for DLL side-loading

jli.dll be53764063bb1d054d78f2bf08fb90f3 Ecipekac Layer I loader

vac.dll f60f7a1736840a6149d478b23611d561 Encrypted Ecipekac Layer II loader( shellcode)

pcasvc.dll 59747955a8874ff74ce415e56d8beb9c Encrypted Ecipekac Layer IV loader( shellcode)

Please note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader.

Ecipekac: Layer I loader

Layer I of Ecipekac infection flow

The Ecipekac Layer I loader abuses policytool.exe, a legitimate application that is normally packaged in the IBM Development Package for Eclipse, to load a malicious DLL named’ jli.dll’ in the current directory via the DLL side-loading technique. The’ jli.dll’ file acts as the first layer of the Ecipekac loader. This DLL file has a number of export roles; however, all of them can be attributed to a similar function that carries the main loading feature. The loader reads 0x40408 bytes of data from the end of another DLL-‘ vac.dll'( where the data section starts at the offset of 0x66240 ). The data size of 0x40408 is derived from a hardcoded value, 0x40405, incremented until it’s divisible by eight.

MD5 f60f7a1736840a6149d478b23611d561 SHA1 5eb69114b2405a6ea0780b627cd68b86954a596b SHA2 56 3b8ce709fc2cee5e7c037a242ac8c84e2e00bd597711093d7c0e85ec68e14a4c Link time 2033-11-13 08:50: 03

File form PE32+ executable( DLL)( GUI) x86-64, for MS Windows

Compiler Linker Version: 14.13, OS Version: 10.0

File size 681544( 666 KB)

File epithet vac.dll Embedded data at 0x66240 (size:0x40405) 00066240: febe d990 66 de 1bc9 75 b7 dc2c 3e1f 3ef2 00066250: 78 d0 0005 5c27 a511 c122 bdf4 15 e7 052 c 00066260: af72 7e08 064 c f7b9 70 f0 57 bf 250 a 3b4d [..skipped..] 000 a6630: ee4b b1f2 294 d eea1 290 e aba2 6954 130 f 000a6640: 1267 9ab3 f800 0000

The’ vac.dll’ DLL file is signed with a valid, legitimate digital signature, although the file has been tampered with. At first glance, the fact that its digital signature is valid would suggest the file has not been manipulated after being digitally signed.

The signed digital certificate of vac.dll

However, what happened was that the actor resized the Certificate Table in the digitally signed’ vac.dll’ and inserted their own data in the Certificate Table so it doesn’t affect the digital signature. This technique was published at BlackHat 2016 as MS13-098.

The layer I loader decrypts the layer II loader shellcode from the embedded data in’ vac.dll’. Several crypto algorithms are use, such as XOR, AES and DES. The order and combination of algorithms, as well as the decryption keys, are distinct from one sample to another.

Decryption flow in first loader

For example, in the sample shown above, the order of crypto algorithms was a one-byte XOR applying the hardcoded key of’ 0x9F ‘, be accompanied by an AES CBC mode decryption with the AES key’ 83 H4uREKfFClDH8ziYTH8xsBYa32p3wl’ and the IV key’ 83 H4uREKfFClDH8z ‘.

One interesting characteristic of Ecipekac is that the attackers implemented these cryptographic algorithms in their own code instead of using the Windows API. The attackers have also made slight modifications compared to the original implementation. For instance, in the role related to the AES algorithm, they intentionally referenced the third byte of the AES key as shown in the following code.

A small-scale modification in the AES function

Apart from the AES algorithm mentioned, the attackers have also modified the DES algorithm.

Ecipekac: Layer II loader shellcode

Layer II of infection flow use Ecipekac

The Ecipekac Layer II loader is a simple shellcode which contains the data of the next layer DLL in disordered parts. At first, this shellcode checks for the magical string “ecipekac” in this data set. Then it reconstructs and loads each part of the embedded data into allocated recollection in the correct ordering to create the original code of the DLL as shown below.

Reconstruction for the subdivided PE BLOB in memory

Then it calls the entry point of the loaded DLL which is the third layer of Ecipekac. Based on our investigation, the magic string used in this module is not exclusively “ecipekac” in all instances. We also observed” 9F 8F 7F 6F” and” BF AF BF AF” included in several samples instead.

Ecipekac Layer III loader DLL

Layer III of infection flow use Ecipekac

The third layer’s method of loading the next layer resembles the first layer. It reads encrypted data from the end of’ pcasvc.dll ‘, which is signed applying a digital credential as is the case with’ vac.dll’.

MD5 59747955a8874ff74ce415e56d8beb9c SHA1 0543bfebff937039e304146c23bbde7693a67f4e SHA2 56 a04849da674bc8153348301d2ff1103a7537ed2ee55a1588350ededa43ff09f6 Link time 2017-02-24 15:47: 04

File kind PE32+ executable( DLL)( console) x86-64, for MS Windows

Compiler Linker Version: 14.13, OS Version: 10.0

File size 733232( 717 KB)

File name pcasvc.dll Embedded data at 0x87408( sizing: 0x2BC28) 00087408: 98 e4 1def 8519 d194 3c70 4e84 458 a e34c 00087418: b145 74 da c353 8cf8 1d70 d024 8a54 8bde [..skipped..] 000 b3010: 2c1b 6736 8935 d55d 8090 0829 5dfc 7352 000b3020: 44 bd c35b 9b23 1cb6 0000 0000 0000 0000

The crypto algorithms are again one-byte XOR and AES CBC mode, this time to decrypt the fourth loader shellcode from the embedded data of’ pcasvc.dll’. However, the sequence of algorithms is in reverse order compared to the first layer. The hardcoded keys are also different: “0x5E” is used as the XOR key, while the AES key and IV are “K4jcj02QSLWp8lK9gMK9h7W0L9iB2eEW” and “K4jcj02QSLWp8lK9” respectively.

Ecipekac: Layer IV loader shellcode

Layer IV of infection flow utilize Ecipekac

During our research, we find three different types of shellcode used as the fourth layer of Ecipekac.

Layer IV loader shellcode – first type

The first shellcode type’s procedure acts the same way as the Ecipekac Layer II shellcode, with the only difference being the embedded PE, which is the final payload of Ecipekac in this case. The payload of the first kind shellcode is either ” P8 RAT” or “FYAnti loader”. An analysis of these payloads is provided in the later segments of this report.

Layer IV loader shellcode – second type

The second type of shellcode is totally different from the other loader forms. This shellcode has a unique data structure shown in the table below.

Offset Example Data Description 0x000 90 90 90 90 90 90 90 90 magic number to check before proceeding to data processing.

0x008 0x11600 size of encrypted data

0x00C A9 5B 7B 84 9C CB CF E8 B6 79 F1 9F 05 B6 2B FE 16 bytes RC4 key

0x01C C7 36 7E 93 D3 07 1E 86 23 75 10 49 C8 AD 01 9F 6E D0 9F 06 85 97 B2 [skipped] Encrypted payload( SodaMaster) by RC4

This shellcode corroborates the presence of the magic number” 90 90 90 90 90 90 90 90″ at the beginning of this data structure, before proceeding to decrypt a payload at offset 0x01C employing RC4 with a 16 -byte key of” A9 5B 7B 84 9C CB CF E8 B6 79 F1 9F 05 B6 2B FE “. The decrypted warhead is “SodaMaster”, and is described later in this report.

Layer IV loader shellcode- third type

The last type of shellcode is a Cobalt Strike stager. We have confirmed the use of several different Cobalt Strike stager shellcodes since October 2019. In addition, some of the find Cobalt Strike stager samples included a determine in the HTTP header of their malicious communications to disguise them as common jQuery request in order to evade detection by security products.

Hardcoded HTTP header to impersonate jQuery request

The actual hardcoded C2 used in the HTTP header for the C2 communication impersonating JQuery requests was ” 51.89.88 [.] 126″ with the respective port 443.

Payloads of Ecipekac

Payload of Infection flow applying Ecipekac

As mentioned previously, apart from the Cobalt Strike stager, we observed three each type of final warhead implanted by the Ecipekac loader during this long-running campaign.

P8 RAT SodaMaster FYAnti loader for QuasarRAT

The following timeline shows samples of the Ecipekac loader together with their respective filename and payload type based on a compilation timestamp of the first layer DLL 😛 TAGEND

Timeline of the Ecipekac loader files and payloads

Cobalt Strike’s stager has been used throughout the research period. FYAntiLoader for QuasarRAT was monitored in October 2019, and has not been observed since then. Instead of this, SodaMaster and P8 RAT were monitored from May 2020.

P8RAT

One of Ecipekac’s payloads is a new fileless malware which we call P8 RAT( a.k.a GreetCake ). P8 RAT has the following unique data structure used to store the C2 communication configuration. We compiled several samples of P8 RAT during our research and detected no C2 address of P8 RAT that was used more than once. In total we detected 10 backdoor commands in all the accumulated P8 RAT samples. The most recent P8 RAT sample, with the compilation timestamp of December 14, 2020, depicts a new backdoor command with the code number of ” 309″ implemented. The command “304”, which was present in earlier samples and carries similar functionality, was removed.

Command Description Compilation time of P8 RAT

2020 -0 3-30 2020-08-26 2020 -1 2-14

300 Closing socket Enabled Enabled Enabled 301 Creating a thread for executing/ loading a downloaded PE file Enabled Enabled Enabled 302 No functionality Enabled Removed Removed 303 Sending arbitrarily produced data Enabled Enabled Enabled 304 Executing/loading downloaded PE/ shellcode Enabled Removed Removed 305 Setting value of “Set Online Time”( the string was hardcoded in the P8 RAT version compiled based on 2020 -0 3-30 and removed from the P8 RAT version compiled based on 2020 -0 8-26 ). Enabled Enabled Enabled 306 Setting value of “Set Reconnect TimeOut”( the string was hardcoded in the P8 RAT version compiled on 2020 -0 3-30 and walk away from the P8 RAT version compiled on 2020 -0 8-26 ). Enabled Enabled Enabled 307 Setting value of” Set Reconnect day”( the string was hardcoded in the P8 RAT version compiled based on 2020 -0 3-30 and walk away from the P8 RAT version compiled based on 2020 -0 8-26 ). Enabled Enabled Enabled 308 Setting value of “Set Sleep time”( the string was hardcoded in the P8 RAT version compiled based on 2020 -0 3-30 and walk away from the P8 RAT version compiled based on 2020 -0 8-26 ). Enabled Enabled Enabled 309 Creating thread for executing downloaded shellcode was implemented from the P8 RAT version compiled on 2020 -1 2-14. Not implemented Not implemented Enabled

The main purpose of P8 RAT is downloading and executing payloads( consisting of PE and shellcode) from its C2 server. However, we were unable to obtain any sample of the subsequent payloads for this malware.

In the P8 RAT sample from March 2020, hardcoded strings such as “Set Online Time”, ” Set Reconnect TimeOut”,” Set Reconnect Times” and” Set Sleep Time” were used in regard to backdoor commands “305” to “308”, which point to the possible purpose of these commands. Based on these strings, which were removed from the P8 RAT samples in August 2020, we speculate that these commands are possibly used to control the intervals of the C2 communication by defining sleep time, reconnect period and reconnect timeout in order to mix C2 communication with normal network traffic of the system.

In another update, the P8 RAT sample from August 2020 looks for two process names (” VBoxService.exe” and “vmtoolsd.exe”) on the victim’s system, to detect VMware or VirtualBox environments at the beginning of its main malicious function.

Hardcoded file names to see VMware and VirtualBox

Interestingly the attacker made some modifications to P8 RAT in December 2020, shortly after the publication of the two blogposts from Symantec on November 17, 2020, and LAC on December 1, 2020( in Japanese ). We strongly believe that this actor had examined these security dealers’ publications carefully and then modified P8 RAT accordingly.

SodaMaster

Another payload of the Ecipekac loader, which we call SodaMaster( a.k.a DelfsCake ), is also a new fileless malware. In our research we find more than 10 samples of SodaMaster. All the accumulated samples of this module were almost identical, with the offsets and hex patterns of all functions perfectly matching. The only changes were in the configuration data, including a hardcoded C2, an encoded RSA key and additional data for calculating a mutex value.

Configuration of SodaMaster

When execution of this malware begins, it creates a mutex with a epithet in the reverse order of the CRC3 2 checksum calculated from the encoded RSA key and its following additional data. Then the malware arbitrarily generates a value as an RC4 key for C2 communication. The first data block sent to the C2 server includes the user_name, the host_name, PID of the malware module, OS_version, socket_name, the generated RC4 key and the malware’s elapsed running time.

C2 communication of SodaMaster

We substantiated four backdoor commands, coded as “d”, ” f”, “l” and “s”, in the recent SodaMaster sample. In addition, we also discovered an age-old SodaMaster sample which has only two commands. A description of each command is shown in the following table.

Command Description Compilation time of P8 RAT

2019 -0 1-07 2019-06-10 d Create thread for launching downloaded DLL and call exportation part of the DLL. Enabled Enabled

f Set value as RC4 key for the encrypted C2 communication Not implemented Enabled l Set value as sleep time Not implemented Enabled s Create thread for executing downloaded shellcode Enabled Enabled

Based on the analysis of the backdoor features of the SodaMaster module, the purpose of this malware is also to download and execute warheads( DLL or shellcode ), like P8 RAT. Unfortunately, we have not been able to obtain these payloads yet.

The SodaMaster module likewise proves an anti-VM feature. The malware looks for the presence of the registry key “HKEY_CLASSES_ROOT\\Applications\\VMwareHostOpen.exe” on the victim’s system before moving on to its main functionality. This registry key is specific to the VMware environment.

SodaMaster anti-VM check

Another characteristic of SodaMaster is the use of a common obfuscation technique known as ” stackstrings ” to create the registry key in double-byte characters. We observed the same obfuscation technique used for a process epithet and DLL name in other SodaMaster samples.

FYAnti loader for QuasarRAT

The last observed type of payload deployed by Ecipekac is a loader module named FYAnti loader. In the Ecipekac loader malware of the fourth layer, the DLL is loaded into memory and an export carrying the name “F**kY**Anti” is called. We named this loader “FYAnti” because of this distinct string. The execution flowing of the FYAnti has two additional layers to implement the final stage, which is a QuasarRAT( a.k.a xRAT ).

Infection flow of FYAnti loader

The first layer of the FYAnti loader decrypts an embedded. NET module and executes it applying the CppHostCLR technique. The. NET module is packed applying “ConfuserEx v1.0.0” and acts as yet another loader that searches for a file in the “C:\Windows\Microsoft.NET\””,NN,[]
directory with file sizes between 100,000 and 500,000. The unpacked code is shown in the screenshot below.

Unpacked code of the second layer loader of FYAnti to search a file

In this instance, an encrypted file named “web_lowtrust.config.uninnstall” is detected and used as the next stage module. The. NET module loads and decrypts this file applying AES CBC mode. The decrypted warhead is another. NET module named Client.exe which is QuasarRAT, a popular open-source remote administration tool. The configuration data is presented in the binary with most of this data being encrypted by AES CFB mode and base6 4. The AES key is generated using the hardcoded string “KCYcz6PCYZ2VSiFyu2GU” in the configuration data.

Malware configuration of QuasarRAT

All loader modules and payloads are decrypted and executed in remembrance only.

Attribution

Based on our investigations, we assess with high confidence that the APT1 0 menace performer is behind the A41APT campaign. This attribution is based on the following section 😛 TAGEND

First, the hardcoded URL ” www.rare-coisns [.] com” from an x86 SodaMaster sample was mentioned in the report from ADEO regarding APT1 0′ s activity targeting the finance and telecommunication sectors of Turkey, also fitting the geolocation of the VirusTotal submitter.

Second, the similarity of the A41APT campaign with APT1 0 activities described in a Cylance blogpost. These include the Ecipekac Loader, FYAnti loader’s unique exportation name “F**kY**Anti”, applying the CppHostCLR technique and QuasarRAT used as the FYAnti’s final warhead. Moreover, as stated in the Symantec blogpost, the FYAnti loader, the export name “F**kY**Anti”, CppHostCLR technique for injection of. NET loader and the QuasarRAT were similar to the activities of the APT1 0 group discovered by the BlackBerry Cylance menace research team.

Last but not least, there are some similarities and common TTPs to those outlined in our previous TIP report on APT1 0 activities 😛 TAGEND

Implementation of the hashing or crypto algorithms done manually by the malware developers instead of using Windows APIs, with some modifications; Use of calculated hash values( fully or partly) for some features like crypto keys, part of the crypto keys, key generation, mutex names and so on; Using the DLL side-loading technique to run a warhead in memory; Use PowerShell scripts for persistence and also for lateral movement; Utilize exe for removing logs in order to hide their activities; Sending victim machine data such as username, hostname, PID, current day and other specifics- though this point is not unique to APT1 0 backdoors and is quite common in most backdoor households; Modifying implants shortly after security researchers publish their analysis of the actor’s activities and TTPs; Targeting chiefly Japan, alongside associated overseas limbs or organizations related to Japan.

However, we observed some interesting differences in the A41APT campaign and previous activities 😛 TAGEND

P8 RAT and SodaMaster did not contain a malware version number as opposes this previous malware instances used by APT1 0 such as LilimRAT, Lodeinfo and ANEL; As for the infection vector, we could not identify any spear-phishing email in this A41APT campaign, which is quite common in APT1 0 attacks.

Overall, APT1 0 is considered a large APT group work multiple simultaneous campaigns and, understandably, TTPs differ from one campaign to another. We believe significant differences mentioned here for the A41APT campaign represent a normal change of TTPs that can be expected in the case of such a large APT group.

Conclusions

We reviewed and considered the A41APT campaign is just one of APT1 0′ s long-running activities. This campaign introduced a very sophisticated multi-layer malware named Ecipekac and its warheads, which include different unique fileless malware such as P8 RAT and SodaMaster.

In our opinion, the most significant aspect of the Ecipekac malware is that, apart from the large number of layers, the encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the digital signature. When this technique is use, some security solutions cannot detect these implants. Judging from main features of the P8 RAT and SodaMaster backdoors, we believe that these modules are downloaders responsible for downloading further malware that, unfortunately, we have not been able to obtain still further in our investigation.

We see the activity outlined in this report as a continuation of the program activities we previously reported in our Threat Intelligence Portal, where, in 2019, this threat performer began targeting overseas offices of Japanese associations or organizations employing the ANEL malware. The operations and implants of the campaign described in this report are remarkably stealthy, making it difficult to track the threat actor’s activities. The main stealth features are the fileless implants, obfuscation, anti-VM and removal of activity tracks.

We will continue to investigate and way the activities of the APT1 0 actor, which are expected to keep improving its covertness with each year.

Appendix I- Indicators of Compromise

Note: The indicators in this section are valid at the time of publication. Any future changes will be directly updated in the corresponding. ioc file.

File Hashes( malicious documents, trojans, emails, decoys)

Ecipekac loader be5 3764063 bb1d054d78f2bf08fb90f3 jli.dll P8 RAT cca4 6fc64425364774e5d5db782ddf54 vmtools.dll SodaMaster dd6 72 da5d367fd291d936c8cc03b6467 CCFIPC6 4. DLL FYAnti loader

Encrypted Ecipekac Layer II, IV loader( shellcode) md5 filename warheads f6 0f7a1736840a6149d478b23611d561 vac.dll P8 RAT 59747955a8874ff74ce415e56d8beb9c pcasvc.dll P8 RAT 4638220ec2c6bc1406b5725c2d35edc3 wiaky0 02 _CNC1 755 D.dll SodaMaster d3 7964 a9f7f56aad9433676a6df9bd19 c_apo_ipoib6x. dll SodaMaster 335ce825da93ed3fdd4470634845dfea msftedit.prf.cco FYAnti loader f4c 4644 e6d248399a12e2c75cf9e4bdf msdtcuiu.adi.wdb FYAnti loader

Encrypted QuasarRAT md5 filename payloads 019619318e1e3a77f3071fb297b85cf3 web_lowtrust.config.uninstall QuasarRAT

Realm and IPs

151. 236.30 [.] 223 193. 235.207 [.] 59 45. 138.157 [.] 83 88. 198.101 [.] 58 www.rare-coisns [.] com

Appendix II- MITRE ATT& CK Mapping This table contains all the TTPs identified in the analysis of the activity described in this report.

Tactic Technique Technique Name

Initial Access T1133 External Remote Services

Uses vulnerabilities in Pulse Connect Secure to hijack a VPN session.

T1078 Valid Accounts

Uses stolen credentials to connect to the enterprise network as initial infection.

Execution T1059.001 Command and Scripting Interpreter: PowerShell

Uses PowerShell to download implants and remove logs.

T1053. 005 Scheduled Task/ Job: Scheduled Task

Creates a task for running a legitimate EXE with Ecipekac( malicious DLL) using DLL side-loading technique.

Persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

Uses a legitimate EXE file which loadings Ecipekac( malicious DLL) in the current directory.

T1574. 002 Hijack Execution Flow: DLL Side-Loading

Uses a legitimate EXE file which loads Ecipekac( malicious DLL) in the current directory.

T1053. 005 Scheduled Task/ Job: Scheduled Task

Creates a task for running a legitimate EXE with Ecipekac( malicious DLL) use DLL side-loading technique.

T1078 Scheduled Task/ Job: Scheduled Task

Uses stolen credentials to connect to the enterprise network as initial infection.

Privilege Escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

Uses a legitimate EXE file which loads Ecipekac( malicious DLL) in the current directory.

T1574. 002 Hijack Execution Flow: DLL Side-Loading

Uses a legitimate EXE file which loadings Ecipekac( malicious DLL) in the current directory.

T1053. 005 Scheduled Task/ Job: Scheduled Task

Creates a task for running a legitimate EXE with Ecipekac( malicious DLL) applying DLL side-loading technique.

T1078 Scheduled Task/ Job: Scheduled Task

Uses stolen credentials to connect to the enterprise network as initial infection.

Defense Evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

Uses a legitimate EXE file which loads Ecipekac( malicious DLL) in the current directory.

T1574. 002 Hijack Execution Flow: DLL Side-Loading

Uses a legitimate EXE file which loadings Ecipekac( malicious DLL) in the current directory.

T1053. 005 Scheduled Task/ Job: Scheduled Task

Creates a task for running a legitimate EXE with Ecipekac( malicious DLL) employing DLL side-loading technique.

T1078 Scheduled Task/ Job: Scheduled Task

Uses stolen credentials to connect to the enterprise network as initial infection.

T1070. 003 Indicator Removal on Host: Clear Command History

Removes Powershell execution logs use Wevtutil.exe.

T1036 Masquerading

Encrypted shellcode of Ecipekac was embedded in the legitimate DLL.

T1497. 001 Virtualization/Sandbox Evasion: System Checks

Payloads of Ecipekac check a registry key and process epithets to identify VM environment.

Discovery T1057 Process Discovery

Checks the process of VMware and VirtualBox to identify the VM environment.

T1082 System Information Discovery

SodaMaster mails system knowledge such as user_name, the host_name, PID of the malware module, OS_version, etc.

T1012 Query Registry

Checks a registry key of VMware to identify the VM environment.

Lateral Movement T1210 Exploitation of Remote Services

Uses vulnerabilities in Pulse Connect Secure to hijack a VPN session.

Command and Control T1071.001 Application Layer Protocol: Web Protocols

Cobalt Strike’s stager utilizes HTTP protocol of communicating with C2 server to disguise as a common jQuery.

T1132. 002 Data Encoding: Non-Standard Encoding

SodaMaster employs an original data structure and RSA for the first communication, then applies RC4 for encryption.

Read more: securelist.com