HOME
NEWS

Chinese APT group targets Southeast Asian government with previously unknown backdoor


By VARINDIA - 2021-06-04
Chinese APT group targets Southeast Asian government with previously unknown backdoor

Check Point Research (CPR) warns of a new cyber espionage weapon being used by a Chinese threat group, after it identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. Over the course of three years, the attackers developed a previously unknown backdoor into the Windows software running on the personal computers of its victims, enabling capabilities of live-espionage, such as screenshotting, editing files and running commands.

 

  • Attackers began by sending weaponized documents, impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs
  • Attackers developed, tested and deployed a new cyber espionage weapon, specifically a Windows backdoor with the internal name “VictoryDll_x86.dll”, capable of collecting nearly any information the attackers want
  • Surveillance operation placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times

 

Introduction

Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs. CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.

Using email to kick off the infection chain

The campaign started with malicious documents (.docx) being sent to different employees of a government entity in Southeast Asia. These emails were spoofed to look like they were sent from other government-related entities. The attachments of these emails were weaponized copies of legitimate-looking official documents and used the remote template technique to pull the next stage malware from the attacker's server including a malicious code. Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document.

 

 

Figure 1: Examples of lure documents sent to the victims

 

 

Weaponizing RTF files

 

In this campaign, the remote templates in all the cases were Rich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems. The RTF files were weaponized using the variant of a tool named RoyalRoad, which allowed the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.

 

Despite the fact that these vulnerabilities are a few years old, they are still used by multiple attack groups, and are especially popular with Chinese APT groups.

 

The initial documents and RTF files are just the very start of an elaborated multi-stage infection-chain, which are further analyzed below.

 

 

Figure 2: Diagram of full infection chain (Note: Dynamic Link Library (DLL) is a file format used for holding multiple codes and procedures for Windows programs)

Victory enters from the backdoor

At the final stage of the infection chain, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory.

 

A backdoor is a malware type that bypasses normal authentication procedures to access a system. As a result, remote access is granted to resources within the infected device or network, giving a remote attacker the ability to access the system directly through the backdoor.


In this attack, the backdoor module appears to be a custom-made and unique malware with the internal name "VictoryDll_x86.dll".

 

The backdoor capabilities of this malware include the ability to:

  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get screenshots
  • Pipe Read/Write - run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim's computer information - computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number) and type of user
  • Shutdown PC

 

Attribution

CPR attributes, with medium-to-high confidence, the ongoing surveillance operation to a Chinese threat group, based on the following artifacts and indicators:

· The command and control (C&C) servers were communicative only between 01:00 – 08:00 UTC, which we believe are the working hours in the attackers’ country, therefore the range of possible origins of this attack is limited.

· The C&C servers did not return any payload (even during working hours), specifically during the period between May 1st and May 5th - Labor Day holidays in China.

· Some test versions of the backdoor contained internet connectivity check with www.baidu.com - a leading Chinese web-site.

· The RoyalRoad RTF exploit kit, used to weaponize the documents in the attack, is associated mostly with Chinese APT groups.

· Some test versions of the backdoor from 2018 were uploaded to VirusTotal from China

Conclusion

All the evidence points to the fact that we are dealing with a highly organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try to create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. Overall, the attackers, who are believed to be a Chinese threat group, were very systematic in their approach.

 

Ultimately, CPR´s investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, which the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. CPR learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although CPR were able to block the surveillance operation for the Southeast Asian government described, it is possible that the threat group is using its new cyber espionage weapon on other targets around the world.

 

Check Point Harmony is the industry’s first unified security solution for users, devices and access, and has the ability to blocks attacks such as these from the very first step. It closes the security gaps that are usually left behind by multiple different point products from several different security vendors by blocking all exploit techniques across all attack vectors.

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA