Operation Cloud Hopper & RedLeaves

Cloud Hopper APT10

APT10 Cloud Hopper Guide by LIFARS

Cloud Hopper is a recent APT10 campaign that has been targeting Managed Service Providers (MSPs), and threat actor behind this is widely known within the security community as ‘APT10’. APT 10, also known as menuPass team, Red Apollo, and Stone Panda, is a China-based threat actor which has been predominantly targeting MSPs as well as Japanese organizations in the last 12 months.

APT10 Cloud Hopper allowed APT10 to target MSPs and their clients globally, including Canada, Brazil, France, Norway, Finland, Switzerland, Australia, Japan, South Korea, and India for intellectual property and other sensitive information. Globally known MSPs have been more attractive as they become a hub from which an attacker can access multiple endpoint networks.  This approach where they’ve reached many networks through only a few targets, shows a maturity in cyber espionage, and that is why it has become very crucial now than ever for organizations to have a broader view of all the possible threats towards them.

In this campaign, various malware payloads have been used for implanting a backdoor such as RedLeaves, s new fully-developed backdoor whose activity was first recorded by Japan’s CERT in June 2016 and PlugXs, a common espionage tool used by many threat actors. 

In this document, you will learn:

  • What Operation Cloud Hopper is
  • What APT10 is and what it targets to attack
  • Three parts of ReaLeaves, including an Executable file (.exe), a Loader File (.dll), and an Implant ShellCode (.data)
  • How ReadLeaves operates
  • Remote Administration Trojan (RAT) functions, such as: System Enumeration, Command Execution, Command Window Generation, File System Enumeration, and Network Traffic Configuration & Encryption
  • The security best practices to make sure that your systems are safe and secure

For any questions on the APT10 Cloud Hopper, please contact our Threat Intelligence team, or for any advice on improving cyber defenses, please contact LIFARS Incident Response team..

If you have any further questions, please don't hesitate to contact us.