Check Point specialists discovered a spy operation aimed at the government of one of the countries of Southeast Asia. Researchers say an unnamed Chinese hack group has been developing a new backdoor for Windows for three years. With its help, hackers could monitor victims in real time: take screenshots, edit files, and execute other commands.
Attack scheme :
The company’s report states that the criminals sent malicious documents to the Foreign Ministry, posing as employees of the government (or other departments) of the same country. By opening the document, the victim launched a chain of actions that eventually led to the deployment of the backdoor. This malware, in turn, collected any information about the infected system (for example, a list of files and active programs), and also provided attackers with remote access to the infected device.
Example of a malicious document :
The backdoor, which the group has been developing for about three years, overrides the usual authentication procedures for accessing the system. The backdoor module with the internal name VictoryDll_x86.dll contains custom malware with the following capabilities:
- delete / create / rename / read / write files and get file metadata;
- obtaining information about processes and services;
- taking screenshots;
- gaining access to the Read / Write system calls — launching commands through cmd.exe;
- starting / ending processes;
- getting a TCP / UDP table;
- obtaining information about registry keys;
- getting the titles of all top-level windows;
- obtaining information about the victim’s PC: computer name, user, gateway address, network adapter data, Windows version (major / minor version and build number) and user type;
- shutdown the PC.
Experts associate this spy campaign with China based on the following artifacts and signs:
- control servers were only online from 01:00 to 08:00 UTC. According to the researchers, this indicates working hours in a particular country / region; attackers – therefore, the territorial range of possible sources of this attack is limited;
- C&C servers did not return any payload (even during business hours) between May 1 and May 5, during which Labor Day is celebrated in China.
- Some test versions of the backdoor had records of checking network connectivity from www.baidu.com;
- The RoyalRoad RTF exploit kit used in malicious documents for the attack is mainly associated with Chinese APT groups.
- some test versions of the backdoor dated 2018 were uploaded to VirusTotal from China.
“All indications are that we are dealing with a highly organized group that has gone to great lengths to remain undetected,” said Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software. “Every few weeks, the attackers sent out phishing emails with malicious attachments of supposedly government documents in order to try to penetrate the Foreign Ministry network of the country in question. This means that attackers first had to attack another department of the same state, stealing documents (and adding a malicious load to them) for later use.
Cybercriminals (we believe that this is a Chinese group), acted in a very systematic manner. Our investigation ultimately led to the discovery of a new Windows backdoor, a cyber espionage weapon that Chinese hackers have been developing since 2017. The backdoor was refined for three years before being used in real life. It is very corrosive and capable of collecting a huge amount of data from an infected computer. We learned that attackers are interested not only in data, but also in what happens on the victim’s PC at any time – this is real-time espionage. We were able to block this particular operation, but it is possible that this group is using new weapons for other attacks around the world. “
ProApk on Google News – http://bit.ly/pro-apk-google-news
ProApk on Telegram – http://t.me/proapk_in
ProApk on Twitter – http://twitter.com/xdapirates
ProApk on Facebook – http://bit.ly/pro-apk-facebook