WHAT’S THE STORY?
HOGFISH, more commonly known as APT10, is an espionage threat group attributed to China that has been heavily targeting Japan and Western organizations since as early as 2009.The malware used in this campaign uncovered by iDefense analysts, is the latest iteration of RedLeaves: a capable RAT that allows the threat group to perform the following actions on a compromised machine:
Gather browser usernames and passwords
Gather extended system information
Send, receive, and execute commands from the C2 server
This report contains a full overview of a recent HOGFISH campaign targeting organizations in Japan, and taunting tactics used on other intelligence analysts, researchers and responders.
WHAT DOES IT MEAN?
Despite the recent high profile disclosure in the Operation Cloud Hopper by the National Cyber Security Centre (NCSC) and others, HOGFISH remains a highly active and innovative threat group. Hogfish does not shy away from targets around the world, but does have a particular interest on Japan. Stolen data and proprietary information is likely to be transformed by the threat group into actionable intelligence for the group’s sponsors.
WHAT CAN YOU DO?
To effectively mitigate against threats posed by this particular HOGFISH campaign, security teams should look for and block access to the following C2 domains and IP addresses:
For threat hunting, it is also useful to examine the content of the following folders and look out for anomalous data:
A mutex named jH10689DS, 2N6541mb, or rV6880B9.
d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1 5504e04083d6146a67cb0d671d8ad5885315062c9ee08a62e40e264c2d5eab91 f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d