Chinese APT group targets South-East Asian government with previously unknown backdoor targeting Windows
In a new development, Check Point Research (CPR) warns of a new cyber espionage weapon being used by a Chinese threat group, after it identified and blocked an ongoing surveillance operation targeting a South-East Asian government. Over the course of three years, the attackers developed a previously unknown backdoor into the Windows software running on the personal computers of its victims, enabling capabilities of live-espionage, such as screenshotting, editing files and running commands.
The attackers, believed to be a Chinese threat group, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs. The CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. The investigation conducted by CPR has revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.
Using e-mail to kick off the infection chain
The campaign started with malicious documents (.docx) being sent to different employees of a government entity in South-Eeast Asia. These e-mails were spoofed to look like they were sent from other government-related entities. The attachments of these emails were weaponized copies of legitimate-looking official documents and used the remote template technique to pull the next stage malware from the attacker’s server including a malicious code. Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document.
Weaponizing RTF files
In this campaign, the remote templates in all the cases wereRich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems. The RTF files were weaponized using the variant of a tool named RoyalRoad, which allowed the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. Despite the fact that these vulnerabilities are a few years old, they’re still used by multiple attack groups, and are especially popular with Chinese APT groups. The initial documents and RTF files are just the very start of an elaborated multi-stage infection-chain, which are further analyzed below.
Victory enters from the backdoor
At the final stage of the infection chain, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory. A backdoor is a malware type that bypasses normal authentication procedures to access a system. As a result, remote access is granted to resources within the infected device or network, giving a remote attacker the ability to access the system directly through the backdoor. In this attack, the backdoor module appears to be a custom-made and unique malware with the internal name “VictoryDll_x86.dll”.
Qaisar
