China-linked APT10 Hackers Attacking Organizations using the recently-Disclosed ZeroLogon vulnerability

Recently, a large-scale attack campaign from an APT10 hacker group is attacking a multitude of Japanese companies, that include subsidiaries that are inhabited in nearly 17 regions throughout the world in an intelligence-gathering operation.

The Japanese companies in various sectors are being attacked in this campaign, that includes all those operating in the automotive, pharmaceutical, and engineering sectors, and managed service providers (MSPs) as well.

Symantec had detected the campaign when the suspicious DLL side-loading activity on one of their customer’s networks planted an alert in their Cloud Analytics technology. And this is available in Symantec Endpoint Security Complete (SESC). 

However, this activity was later reviewed by the Threat Hunter investigators before being transferred to their investigation team for additional analysis.


This campaign has been detected in mid-October 2019, just at the beginning of October 2020. And the attack group is being active on the networks of some of its victims for nearly a year.

The threat actors have targetted all the well-known organizations, and many of them are linked with Japan or Japanese companies. The threat actors have attacked Cicada; it has been known to have a heavy focus on Japanese organizations in early attack campaigns. 

The main factors that are linking to the victims together, as all of them come together with a wide variety of sectors, and here they are:-

  • Automotive
  • Clothing
  • Conglomerates
  • Electronics
  • Engineering
  • General Trading Company
  • Government
  • Industrial Products
  • Managed Service Providers
  • Manufacturing
  • Pharmaceutical
  • Professional Service

Tools, Tactics, and Procedures used

According to the Symantec report, the threat actors are using a wide variety of tactics, publicly available tools, and procedures, and here we have mentioned below some of them:-

  • Network Reconnaissance for gathering all the data
  • Credential Theft for stealing username and password
  • RAR archiving for transferring files to a staging server before exfiltration
  • Certutil is being used for various malicious purpose
  • Adfind is a command-line tool used to perform the different query
  • CSVDE is being used to Active Directory files and data
  • Ntdsutil is a credential-dumping tool
  • WMIExec is being used for lateral movements
  • PowerShell is a command-line interface

Links to Cicada

However, the Symantec analysts have linked this activity to Cicada due to the usage of earlier seen obfuscation techniques and shellcode on loader DLLs. Moreover, the security experts have also noted all the similar traits that were present in Cicada, and here we have mentioned them below:-

  • Third-stage DLL has trading named “FuckYouAnti”
  • Third-stage DLL uses CppHostCLR method to inject and execute the .NET loader assembly
  • .NET Loader is obfuscated with ConfuserEx v1.0.0
  • The final payload is QuasarRAT – an open-source backdoor utilized by Cicada in the past

Chinese hackers are targeting the “Five Eyes”

The Chinese threat actors APT10 are targeting the Five Eyes, and the APT10 has been active since 2009, targetting government organizations and private organizations from the United States, Europe, and Japan.

This hacking group is especially known for focusing on stealing military, intelligence, and business data from all compromised targets, and currently, it has been focusing on their attacks on Japanese entities.

Nowadays, the hacking group is targetting companies and big organizations at an increasing rate. But, the security experts are still investigating the whole matter and trying to find out all the loopholes so that it will help the expert to advise the users precisely.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.