New fileless Chinese malware infecting organizations in Europe, Asia, and North America

A hacking group allegedly sponsored by the Chinese state is targeting organizations around the world in an espionage campaign active for at least half a year. Cicada, also known as APT10, has targeted government entities, religious institutions and non-governmental organizations (NGO) in countries in Asia, Europe and North America.

This group was initially detected a few years ago, when it was discovered that these hackers were attacking multiple companies in Japan. This hacking activity was attributed to Chinese threat actors after a custom loader and malware specially designed by this APT group was detected.

The last hacking campaign by Cicada would have started in mid-2021, extending at least until February 2022, according to cybersecurity specialists at Symantec.

In most cases, initial activity on the affected networks can be seen on Microsoft Exchange servers, indicating that a known vulnerability could have been exploited to gain access to the compromised systems. After the initial access, hackers install different tools, such as a custom loader and the Sodamaster backdoor.

Sodamaster is a tool developed by Cicada and possibly used only by this hacking group. This is a fileless malware with multiple functions, such as sandbox circumvention, enumeration, analysis of running processes, and downloading additional malware. Besides, threat actors use other hacking variants such as:

  • RAR archiving tools, which allow you to compress, encrypt, or archive sensitive information
  • System and network discovery, to determine which systems or services are connected to a compromised machine
  • WMIExec, a Microsoft command-line tool that can be used to execute remote commands
  • NBTScan, an open source tool for internal recognition of a compromised network

As mentioned above, this campaign appears to be primarily directed against government-related institutions or NGOs, especially those in fields such as education and religion. There were also victims in the telecommunications, legal and pharmaceutical sectors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.