What's the story?

HOGFISH, more commonly known as APT10, is an espionage threat group that has been heavily targeting Japan and Western organizations since as early as 2009.The malware used in this campaign uncovered by iDefense analysts, is the latest iteration of RedLeaves: a capable RAT that allows the threat group to perform the following actions on a compromised machine:

  • Take screenshots
  • Gather browser usernames and passwords
  • Gather extended system information
  • Send, receive, and execute commands from the C2 server

This report contains a full overview of a recent HOGFISH campaign targeting organizations in Japan, and taunting tactics used on other intelligence analysts, researchers and responders.

Download threat analysis technical report [PDF].

What does it mean?

Despite the recent high profile disclosure in the Operation Cloud Hopper by the National Cyber Security Centre (NCSC) and others, HOGFISH remains a highly active and innovative threat group. Hogfish does not shy away from targets around the world, but does have a particular interest on Japan. Stolen data and proprietary information is likely to be transformed by the threat group into actionable intelligence for the group’s sponsors.

What can you do?

To effectively mitigate against threats posed by this particular HOGFISH campaign, security teams should look for and block access to the following C2 domains and IP addresses:

  • firefoxcomt.arkouowi[.]com
  • update.arkouowi[.]com
  • friendlysupport.giize[.]com
  • algorithm.ddnsgeek[.]com
  • 149.36.63[.]65m
  • 83.136.106[.]108

For threat hunting, it is also useful to examine the content of the following folders and look out for anomalous data:

  • %temp%\AYRUNSC.exe
  • %temp%\PTL.AYM%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\GppiTEMms.lnk
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\EaahLDRej.lnk
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\BnorTEPkh.lnk
  • A mutex named jH10689DS, 2N6541mb, or rV6880B9.

Hashes (SHA-256):

d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1 5504e04083d6146a67cb0d671d8ad5885315062c9ee08a62e40e264c2d5eab91 f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog