APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Show in Graph
Image Description
Common Information
Type Value
UUID f7e75c49-b91b-4d0d-8acc-1c971e3199d6
Fingerprint 9e88059c015aadbef92a1fbe6df22aeca2f95cc23afddcd4cee2a5a19c98eeff
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 6, 2019, 12:21 p.m.
Added to db March 10, 2024, 12:50 a.m.
Last updated Aug. 30, 2024, 10:34 p.m.
Headline APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Title APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Detected Hints/Tags/Attributes 351/4/169
Source URLs
Redirection Url
Details Source http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
Details Source https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
URL Provider
Details Provider Source level domain
Details recordedfuture.com go.recordedfuture.com
Attributes
Details Type #Events CTI Value
Details Autonomous System Number 1 
AS32181
Details Autonomous System Number 2 
AS36351
Details Domain 546 
www.recordedfuture.com
Details Domain 111 
www.justice.gov
Details Domain 1 
vpnconsumer.com
Details Domain 1 
tailoreddeploy.host
Details Domain 1 
www.miphomanager.com
Details Domain 145 
www.us-cert.gov
Details Domain 71 
blogs.jpcert.or.jp
Details Domain 9 
internet.bs
Details Domain 5 
cyber-berkut.org
Details Domain 3 
ns-canada.topdns.com
Details Domain 2 
ns-uk.topdns.com
Details Domain 2 
ns-usa.topdns.com
Details Domain 14 
content.dropboxapi.com
Details Domain 98 
www.ncsc.gov.uk
Details Domain 1 
www.llpsearch.com
Details Domain 9 
sam.save
Details Domain 1 
hemas.microsoft.com
Details File 4 
pd.exe
Details File 9 
x.bat
Details File 61 
1.bat
Details File 2 
cu.exe
Details File 1 
ss.rar
Details File 18 
r.exe
Details File 26 
gup.exe
Details File 35 
libcurl.dll
Details File 8 
unins000.exe
Details File 1 
castsp.exe
Details File 89 
version.dll
Details File 20 
host.exe
Details File 1 
tailoreddeploy.exe
Details File 69 
vcruntime140.dll
Details File 1 
selfdestruction.cpp
Details File 1 
mysocket.cpp
Details File 1 
commmanager.cpp
Details File 1 
common.cpp
Details File 30 
main.cpp
Details File 2 
manager.cpp
Details File 1 
servicemanager.cpp
Details File 1 
tcpcomm.cpp
Details File 1 
udpcomm.cpp
Details File 1 
source-rat.html
Details File 3 
unpack200.exe
Details File 1 
kkk.rar
Details File 4 
pp.rar
Details File 1 
dds.rar
Details File 1 
gggg.rar
Details File 2 
ccseupdt.exe
Details File 42 
msvcr100.dll
Details File 96 
rar.exe
Details File 93 
curl.exe
Details File 9 
iisstart.aspx
Details File 4 
coinst.exe
Details File 24 
c.exe
Details File 1 
v2_0.pdf
Details File 1 
casrtsp.exe
Details File 30 
at.exe
Details File 4 
c.bat
Details File 6 
lg.exe
Details File 11 
ps.exe
Details File 1 
dd.dmp
Details File 21 
ns.exe
Details md5 1 
d8e37f07fdc9827871f0f959519275e1
Details md5 1 
f5322b2f18605674b9a0c1757de5fd94
Details md5 1 
6807be8466955bafffa568b6da0e785c
Details md5 1 
1e3a57cff7cba8732364c26f4bbdcbe2
Details md5 1 
5739c1f17503e21e56667d53ea823401
Details md5 1 
C8ea12ee884f274ca35fa54a073df130
Details md5 1 
8f07160febdb240909b27aa519bba575
Details md5 1 
c326c208bc65e6309413d8e699062a39
Details md5 1 
0df4d1c641594cfb0df9e8869fa35db8
Details md5 1 
1c6aa1b4dfcf6a901b9a00dc3fbbd5a9
Details md5 1 
fb922430eca89767438043450c56afcf
Details md5 1 
8c4dc1fd8c5de32c5f78cf7b057b0119
Details md5 2 
e8e59b44613b5af58688809f8cb6dfa8
Details md5 1 
8998D76981C6006B994D6C13D0781EDB
Details md5 1 
bbd3c23b9f3451b2c96df24441c76359
Details md5 1 
926ac3b9e79042520b69075417a4c157
Details md5 1 
e4c0adce9258da655bef089ab0b697b0
Details md5 1 
C43F640BBB78CE5032ED15AFB3A9B868
Details md5 1 
ee6a293893724c8d719ca00aa45d72d6
Details sha1 1 
7c5b35bd14c0633b8d544b5f19c435d0b05c0e1f
Details sha1 2 
2e84fd87150a002df98233093f2842337c594604
Details sha1 1 
ce878facca3698a129e0633a93e8a9dc4105fe98
Details sha1 1 
781069228a9271531cc3fe6b1ba7a5f75db486b6
Details sha1 1 
85377f8815f433a3f2a2028ba3d6d2a908b400a4
Details sha1 1 
b5dd2dfe09a18e5e97fe0e3d0f8002882c8d056f
Details sha1 1 
0c44c5c7cfa9f8e90fd851a68f343f0143a6896e
Details sha256 1 
42b5eb1f77a25ad73202d3be14e1833ef0502b0b6ae7ab54f5d4b5c2283429c6
Details sha256 1 
f6e0f076e27391a6e6eb23f23f77c2ff078488875113df388640aca8bf4dd64b
Details sha256 1 
10182f0e64b765db989c158402c76eb1e0e862cab407f7c5cec133d8e5cb73e3
Details sha256 1 
fc6a130504b54fa72cfc104c656fe2cd92d7998f42ca064e22167e1d402a1514
Details sha256 1 
e6280de09f9adf79212409529eb25c0c2ea73e33a50281e22228a3db3998eecb
Details sha256 1 
eed0c7f7d36e75382c83e945a8b00abf01d3762b973c952dec05ceccb34b487d
Details sha256 1 
ad116485f9184c85fd28331edae629c41fc39ec5123f41b15f6507b139a883c1
Details sha256 1 
c77535e19e5655f6ef72de3b2318e580095ca396c4383287cf8b5d4896235756
Details sha256 1 
bfeb6efee4891de135431091079e659631376953a46065f7e44335df10d16425
Details sha256 1 
5c5618e680bc45654dd55f161f195afbac98a7e111e4ef536ed811656582168d
Details sha256 1 
465c4e72580f62a340e0555afc857a79ad8b9d86de228efe3627f26690cc45f7
Details sha256 1 
243d47fc2a24b391e1153d5c7807c6e5de51aba65fc79465d7b3e5c64d5fac41
Details IPv4 1 
104.237.86.0
Details IPv4 1 
45.56.155.0
Details IPv4 1 
45.62.52.0
Details IPv4 1 
173.239.198.0
Details IPv4 1 
173.254.236.158
Details IPv4 1 
104.237.86.157
Details IPv4 1 
104.237.86.183
Details IPv4 1 
173.239.198.167
Details IPv4 1 
45.56.155.117
Details IPv4 1 
45.56.155.143
Details IPv4 1 
45.56.155.147
Details IPv4 1 
45.62.52.42
Details IPv4 1 
45.62.52.7
Details IPv4 1 
45.76.30.127
Details IPv4 1 
98.159.233.0
Details IPv4 1 
45.56.149.0
Details IPv4 1 
173.244.55.0
Details IPv4 1 
104.238.45.0
Details IPv4 1 
85.203.23.0
Details IPv4 1 
45.56.148.0
Details IPv4 1 
173.239.199.0
Details IPv4 1 
104.238.32.0
Details IPv4 1 
46.244.28.0
Details IPv4 1 
45.56.146.0
Details IPv4 1 
104.194.220.0
Details IPv4 1 
45.56.158.0
Details IPv4 1 
45.56.143.0
Details IPv4 1 
173.239.197.0
Details IPv4 1 
104.194.218.0
Details IPv4 1 
45.56.157.0
Details IPv4 1 
45.56.142.0
Details IPv4 1 
173.239.195.0
Details IPv4 1 
104.194.203.0
Details IPv4 1 
45.56.156.0
Details IPv4 1 
45.56.141.0
Details IPv4 1 
157.97.121.0
Details IPv4 1 
104.143.95.0
Details IPv4 1 
45.56.140.0
Details IPv4 1 
104.37.31.0
Details IPv4 1 
104.143.92.0
Details IPv4 1 
45.56.154.0
Details IPv4 1 
45.56.136.0
Details IPv4 1 
104.37.30.0
Details IPv4 1 
104.143.84.0
Details IPv4 1 
45.56.153.0
Details IPv4 1 
45.41.147.0
Details IPv4 1 
104.238.62.0
Details IPv4 1 
45.56.152.0
Details IPv4 1 
45.41.145.0
Details IPv4 1 
104.238.59.0
Details IPv4 1 
45.56.151.0
Details IPv4 1 
45.41.144.0
Details IPv4 1 
104.238.58.0
Details IPv4 1 
45.56.150.0
Details IPv4 1 
185.198.240.0
Details IPv4 1 
104.238.51.0
Details Threat Actor Identifier - APT 278 
APT10
Details Threat Actor Identifier - APT 78 
APT3
Details Threat Actor Identifier - APT 783 
APT28
Details Url 2 
https://www.us-cert.gov/ncas/alerts/ta17-117a
Details Url 2 
https://www.carbonblack
Details Url 1 
https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-
Details Url 1 
https://www.us-cert.gov/apts-targeting-
Details Url 3 
https://www.us-cert.gov/ncas/alerts/ta18-276b
Details Url 1 
https://www.ncsc.gov.uk/content/files/protected_files/article_files/apt10%20alert%20
Details Yara rule 1 
rule YARA_CN_APT10_Trochilus_RC4Salsa20_decrypted_payload {
	meta:
		description = "Rule to identify Trochilus variant configured with RC4+Salsa20 encrypted C2 comms used by APT10 in 2018"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-10"
		hash1 = "42b5eb1f77a25ad73202d3be14e1833ef0502b0b6ae7ab54f5d4b5c2283429c6"
	strings:
		$s1 = "NASDKJF7832Hnkjsadf878UHds89iujkhNHKJDHJDH8UIYE98uihwjshewde8w"
		$s2 = "www.miphomanager.com"
		$s3 = { 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 }
		$s4 = { 65 06 06 67 06 08 69 06 0A 6B 06 0C }
	condition:
		(uint16(0) == 0x5a4d and filesize < 1000KB and (2 of them))
}
Details Yara rule 1 
import "pe"

rule YARA_CN_APT10_Trochilus_vcruntime140_dll_injector {
	meta:
		description = "Malicious DLL vcruntime140.dll launched using benign CASTSP.exe to inject encrypted shellcode containing 
Trochilus payload"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-16"
		hash1 = "eed0c7f7d36e75382c83e945a8b00abf01d3762b973c952dec05ceccb34b487d"
	strings:
		$s1 = "vcruntime140.dll" ascii fullword
		$s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s3 = "CASTSP.exe" ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
		$s6 = "<!<(<3<=<E<" ascii fullword
		$s7 = "RUTLFJPBTJSFZZAOJTYP" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and (pe.imphash() == "c326c208bc65e6309413d8e699062a39" or all of them)
}
Details Yara rule 1 
import "pe"

rule YARA_CN_APT10_Trochilus_version_dll_injector {
	meta:
		description = "Malicious DLL version.dll launched using benign CASTSP.exe to inject encrypted shellcode containing 
Trochilus payload"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-16"
		hash1 = "10182f0e64b765db989c158402c76eb1e0e862cab407f7c5cec133d8e5cb73e3"
	strings:
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = "CASTSP.exe" ascii fullword
		$s3 = "(p!xLq {Lp Lq h*r!iLq h*t!`Lq h*u!tLq G+y!~Lq G+u!xLq G+q!zLq G+s!zLq Rich{Lq " ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
		$s6 = "CZYSOYKPOIKKZGUFOIUI" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and (pe.imphash() == "0df4d1c641594cfb0df9e8869fa35db8" or all of them)
}