A new backdoor used in current cyber espionage campaigns has been linked to Chinese hackers. According to Check Point Research (CPR), the backdoor has been designed, developed, tested and developed the last three years, in order to violate the systems of the Ministry of Foreign Affairs of the government of Southeast Asia.
The Windows-based infection chain malware It started with phishing emails, which were falsified by other ministries of the same government, where staff members were targeted with "armed", official-looking documents sent via email. If victims open files, they 'pull' remote .RTF templates, while a version of it is being developed Royal road, an RTF weaponizer. The tool operates taking advantage of a set vulnerabilities (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in the Microsoft Word Equation Editor.
CPR reported that Royal Road is especially popular with Chinese APT hacking teams. The RTF document contains shellcode and an encrypted one payload designed to create a scheduled task and to start time-scanning anti-sandboxing techniques, as well as one downloader for the final backdoor.
The backdoor, with the name VictoryDll_x86.dll, has various functions which are suitable for espionage and sending data to C2 server.
These include reading / writing and deleting files, operating system harvesting and the ability to grab screen, create or terminate processes, obtain top-level window titles, and select shutdown.
In addition, the backdoor connects to a C2 to transfer the stolen data and this server can also be used to execute additional malware payloads. The first stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider.
CPR estimates that the backdoor is a work of Chinese hackers due to its limited business program - 1.00 p.m. - 8.00 π.μ. UTC - the use of Royal Road and due to trial versions of the backdoor, which were uploaded to VirusTotal in 2018, which contain connectivity checks to its web address Baidu.
Lotem Finkelsteen, head of threat intelligence at CPR, said: "We learned that the attackers are not only interested in cold data, but also in what is happening at any time on a target computer, resulting in live espionage. "While we have been able to prevent the surveillance operation in the government of Southeast Asia, it is possible that the threat group will use its new cyber-weapon for other purposes around the world."
Source of information: zdnet.com