Sweet`n Sour in Poison: Case Study of Espionage Campaigns Targeting Japan

Ayako Matsuda/FireEye

In cybersecurity, it is important to understand the whole picture of your enemy’s goals, but it is also important to scrutinize their tools, tactics, and procedures (TTP) to plan your response. In this talk, I discuss APT41, their recent attack campaigns targeting the Japanese entities, take a deep dive into the malware families that they used, and share the insight on how we responded to detect them.

In May 2018, two spear-phishing emails were sent to an East Asian manufacturing company. The emails contained a CVE-2017-8759 exploit document that downloads the downloader dubbed SWEETCANDLE after successful exploitation. In February 2019, a spear-phishing email leveraging a Sino-U.S. trade friction-themed lure was sent to an East Asian conglomerate. Within the email, a malicious RAR file that executed the SWEETCANDLE downloader was attached. The sample used in this campaign was slightly modified from the previous version. It attempted to download a POISONPLUG payload that is a modular backdoor with plug-in capabilities. In June 2019, a malicious document was identified with Japanese-language content related to an employee of a multinational electronics company based in China. The exploit document was generated from a builder associated with multiple Chinese espionage operators. The malware delivered by this sample was SOURCANDLE downloader, which downloads and executes a second-stage malware. The downloader was similar to SWEETCANDLE.

Particular focus is given to SWEETCANDLE, SOURCANDLE, and POISONPLUG families which have been observed in the attack campaigns attributed to APT41 in 2019. Attendees will learn the tips to detect and identify these malware families with high confidence.

November 7 at 12:00 - 12:30, Stage A

Ayako Matsuda, Staff Research Scientist at FireEye
Ayako joined FireEye in 2015 as a Malware Researcher based in Tokyo. She is fascinated to conduct the malware analysis and reverse engineering especially for those used in the APT campaigns. In her daily operation, her global team is responsible for detection coverage of FireEye security products leveraging the dynamic and static analysis methods.