A new campaign dubbed A41APT was recently discovered by SecureList researchers documenting the use of a sophisticated loader module, Ecipekac (also known as SigLoader, HEAVYHAND, or DESLoader). This malware serves up four payloads to decrypt “fileless” loader modules dropping payloads such as SodaMaster, P8RAT, and FYAnti loading QuasarRAT. This campaign first observed in 2019 and appears to have the ultimate goal of information stealing using families of malware not observed.
Ecipekac uses policytool.exe, jli.dll, vac.dll, and pcasvc.dll to load its payloads into memory
IOCs (all links go to opentip.kaspersky.com for more information):
be53764063bb1d054d78f2bf08fb90f3 – jli.dll – P8RAT
cca46fc64425364774e5d5db782ddf54 – vmtools.dll – SodaMaster
dd672da5d367fd291d936c8cc03b6467 – CCFIPC64.DLL – FYAnti loader
Encrypted Ecipekac Layer II, IV loader (shellcode)
f60f7a1736840a6149d478b23611d561 – vac.dll – P8RAT
59747955a8874ff74ce415e56d8beb9c – pcasvc.dll – P8RAT
4638220ec2c6bc1406b5725c2d35edc3 – wiaky002_CNC1755D.dll – SodaMaster
d37964a9f7f56aad9433676a6df9bd19 – c_apo_ipoib6x.dll – SodaMaster
335ce825da93ed3fdd4470634845dfea – msftedit.prf.cco – FYAnti – loader
f4c4644e6d248399a12e2c75cf9e4bdf – msdtcuiu.adi.wdb – FYAnti – loader
019619318e1e3a77f3071fb297b85cf3 – web_lowtrust.config.uninstall – QuasarRAT
Domains and IPs
A strong EDR product can help catch the behaviors and indicators of compromise to isolate and alert security operations center personal and mitigate threats. Binary Defense Systems offers Managed Detection and Response (MDR) and SIEM monitoring service, Counter Intelligence, and a Threat Hunting team as additional lines of defense when dealing with campaigns such as A41APT. When dealing with an advanced persistent threat it is oftentimes necessary to utilize additional skillsets to deal with attacks against an enterprise that can result in theft of intellectual property and breach of customer privacy.