POTASSIUM APT10 campaigns

POTASSIUM, the activity group also known as APT 10, Stone Panda, Cloud Hopper, Red Apollo, or menuPass, has been reported to be responsible for global intrusion campaigns from 2006 to as recently as 2018. These campaigns aimed to steal intellectual property and confidential business information from defense contractors and government agencies in the United States. The group was also observed launching attacks against a diverse set of other verticals, including communications, energy, space aviation.

Notably, the group targeted managed service providers (MSPs) with presence in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, United Arab Emirates, and the United Kingdom. Compromising MSPs provided POTASSIUM a launchpad for infiltrating organizations whose IT infrastructures and/or end-user systems are managed by these MSPs.

Known to initially compromise targets via spear-phishing emails that deliver malicious payloads in the form of remote access trojans (RATs), the group steals administrator credentials to move laterally across target systems, maintain persistence, and exfiltrate high-value information. The malicious payloads typically utilized by Potassium include three main RATs called REDLEAVES, UPPERCUT and CHCHES.

On December 17, 2018, the US government indicted two members of POTASSIUM. On January 2, 2019, the Federal Bureau of Investigation shared indicators of compromise (IOCs) to aid in customer protection. Using these IOCs, which the security community further corroborated, along with Microsoft’s own IOCs and telemetry, we have put in place enhanced detection mechanisms that can help guard against possible attacks coming from this group.

Table of Contents

Analysis

The spear-phishing emails used by POTASSIUM carried document attachments embedded with malicious VBA macro code that, if enabled, ultimately delivers a remote access tool or RAT implant.

In one of the more recent POTASSIUM campaigns that Microsoft observed and analyzed, the group used a document with a Japanese file name 2018年度(平成30年度)税制改正について.doc, which roughly translates to About the 2018 fiscal year (FY2003) tax system revision.doc.

POTASSIUM (APT10) campaigns

In POTASSIUM campaigns that use the REDLEAVES RAT, the macro drops an encrypted file, which it decrypts using the legitimate tool certutil.exe, to install the backdoor RAT package.

Campaigns that deploy the UPPERCUT implant also makes use of VBA macro-laden documents, for example one with the file name グテマラ大使講演会案内状.doc, which roughly translates to Ambassador Gutemara lecture invitation letter.doc. The malicious macro code downloads Privacy Enhanced Mail (PEM) text files. The said files are decoded by certutil.exe to produce the UPPERCUT RAT installation package.

The CHCHES RAT is also reportedly delivered via spear-phishing emails. The malware masquerades as a Word document or Windows shortcut file and is known to be using expired or revoked digital certificates, such as the one shown below.

POTASSIUM (APT10) campaigns

The REDLEAVES and UPPERCUT RAT packages are composed of an .exe file, a .dll file, and an encrypted .dat file. Executing the .exe file side-loads the DLL component, which launches and decodes shell codes in the .dat file. This series of actions runs the main REDLEAVES or UPPERCUT DLL implants in memory.

The RAT trojans used by the POTASSIUM group include the following backdoor functionalities:

  • Collecting system information like hostnames and OS versions
  • File search, deletion, creation, and/or download
  • Screenshot capture
  • Data compression, encryption, and exfiltration

POTASSIUM has been observed using gathered legitimate credentials to move laterally to target systems.

Indicators

Files (SHA-1)
Malicious document attachment
  • cbab73cef417e6f2b5e7952371a6e351f23e7d48 (drops REDLEAVES)
  • 91e49748350109db301f71a5027a0ed8bae1cd5b (drops UPPERCUT)
REDLEAVES implants
  • bd4110fdaa3c99c09ad4883085ddd62b6f9f9bd7
  • 61df36789f7d2314c79a41be512300d7c84131bb
  • 9188923fcfca6bda9e13ec2efeb3b4ccc5f560cc
  • 082783ab5273983ab69812ff32efd5eee3613e02
  • ec0f0b9f2b26a43e55230e8993f38a66b6d617e9
  • e61c9a07348c2c2e61df28dc8d53f9a1c47dd1da
  • 6de6cfa2f2f9d4d2a322b25e4e14ef44a8ddeaf0
  • 2f977b9b2b30613bf91794ef70db833a20ad30b0
  • 7345672adfecdaeb9598222adc1a3d641ec3627c
  • 7caa78f93a284543f2b4cd0c8e03e49b60178181
  • 0697b52eab540e0dca4c3c66c56c193567d3e2a2
  • 086eb4086d74084deb9b5d374264712a86243c9c
  • 4c071a2e45030d5b28a54e1c84f5bc7fe71e8dc5
CHCHES implants
  • df8f49a3fdf8a9d550b22d65d21a8006ff593ac4
  • 56d6c3ffa4f3d5ae742f937fae85f0995814cf90
  • 741e955a9e458a70b5c085b3bfba800fdfb4ccde
  • a7d0b38bda630c927820380d311ddc70a9606407
  • de5af856804974ba3df03928fff03447e8f4c9c2
  • 16d0795e4864f67acbb1ae2ce76eb16445dae4b5
  • 16a046d2557cc6377d713e21f14f1ebea7128419
  • 95ab56ab1f0d4f010569ead7915fbc833a36cd73
  • a91669bb4dcb713e997ddf98417730de78cb990a
  • 2c1b42e8c8acea5082275b6ea5f5c64ebaf4fa30
  • 7cace2e51e8ecc5ddb9720a8dc9e1f3596fe343b
  • 69620adf44795ee5293ce301cd3d70045e332bbf
  • 2d0ee3b718ec4e391753616853286c22be7bf521
  • 5b045d98606f000a236b1bd4ac4c9e482b3f5475
  • 01edb82de7b9666eaa5d2791a14092f2e73d2795
  • 1df29c63c917b089fe0fc099e2783c0c679892e5
  • 42d5c9c4c02e6d5c88ec0acce72327389a92f0d7
  • 56126b1c19c1121c0f5065204ef5cc4633079b98
  • 6edd9bb17a999b5f5abcf123a2701e4ea4ada9a2
  • 7cb04a4b86d998604341bc2b610a0a556830993d
  • b966657d35bba9416775d320bb87086001995bbe
  • 01d6e50b2fbba59ca22930075c1022b840c4b240
  • 009b639441ad5c1260f55afde2d5d21fc5b4f96c
  • 84bfc398487494552a2876e32dc8fb4f6f377a08
  • E8d4567f955e9bdeb13034560458b3b184efba03
  • 7fe6c8191749767254513b03da03cfbf6dd6c139

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to limit lateral movement as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C&C) activity.
  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.

Detection details

Antivirus

Microsoft Defender ATP detects threat components as the following malware:

Shared malware and generic detections

Microsoft Defender ATP incorporates next-generation antivirus capabilities, including machine learning and behavioral detection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants. The detection names are listed here for reference, but related alerts are not actively monitored.

Polymorphic variants of malicious documents used in multiple campaigns by various activity groups can be detected generically as:

Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

  • A malicious file was detected based on indication provided by O365
  • Malicious document detected
  • Suspicious usage of certutil.exe to decode an executable
Attack surface reduction rules

These rules can block or audit activity associated with this threat:

  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria

References