UPPERCUT

Uppercut is a sophisticated malware utilized by APT10, a Chinese cyber espionage group tracked by FireEye since 2009. This group has a history of targeting Japanese entities and has been implicated in a recent campaign that involved sending spear-phishing emails containing malicious documents. These documents, disguised as government recommendations, invitations to lectures, or news articles, led to the installation of the Uppercut backdoor on victims' systems. The malware exhibited significant evolution over time, with updates potentially released every few months between December 2017 and May 2018. In its more recent iterations, Uppercut underwent substantial changes in its initialization of the Blowfish encryption key, making it harder for analysts to detect and decrypt the malware's network communications. Previously, Uppercut used a hardcoded string "this is the encrypt key" for Blowfish encryption when communicating with a Command and Control (C2) server. However, in the latest version, the keys are uniquely hardcoded for each C2 address and use the calculated MD5 hash of the C2 to determine which key to use. Another new feature in the latest Uppercut sample is the malware's ability to send an error code in the Cookie header if it fails to receive an HTTP response from the C2 server. Additionally, unlike previous versions where function names were predictable, the exported function names are randomized in the latest version, adding another layer of complexity for analysts attempting to understand and mitigate this threat. This continual evolution of Uppercut demonstrates the increasing sophistication of APT10 and underscores the importance of robust cybersecurity measures.