How a New Cyber Espionage Weapon in Southeast Asian Government Got Detected

Check Point Research (CPR) warns of a new cyber espionage weapon being used by a Chinese threat group, after it identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. Over the course of three years, the attackers developed a previously unknown backdoor into the Windows software running on the personal computers of its victims, enabling capabilities of live-espionage, such as screenshotting, editing files and running commands.

• Attackers began by sending weaponized documents, impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs
• Attackers developed, tested and deployed a new cyber espionage weapon, specifically a Windows backdoor with the internal name “dll”, capable of collecting nearly any information the attackers want
• Surveillance operation placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times

Introduction

Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs.

CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.

Using email to kick off the infection chain

The campaign started with malicious documents (.docx) being sent to different employees of a government entity in Southeast Asia. These emails were spoofed to look like they were sent from other government-related entities. The attachments of these emails were weaponized copies of legitimate-looking official documents and used the remote template technique to pull the next stage malware from the attacker’s server including a malicious code. Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document.

Weaponizing RTF files

In this campaign, the remote templates in all the cases were Rich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems. The RTF files were weaponized using the variant of a tool named RoyalRoad, which allowed the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.

Despite the fact that these vulnerabilities are a few years old, they are still used by multiple attack groups, and are especially popular with Chinese APT groups.

The initial documents and RTF files are just the very start of an elaborated multi-stage infection-chain, which are further analyzed below.

Victory enters from the backdoor

At the final stage of the infection chain, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory.

In this attack, the backdoor module appears to be a custom-made and unique malware with the internal name “VictoryDll_x86.dll”.

The backdoor capabilities of this malware include the ability to:

• Delete/Create/Rename/Read/Write Files and get files attributes
• Get processes and services information
• Get screenshots
• Pipe Read/Write – run commands through cmd.exe
• Create/Terminate Process
• Get TCP/UDP tables
• Get CDROM drives data
• Get registry keys info
• Get titles of all top-level windows
• Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number) and type of user
• Shutdown PC

Attribution

CPR attributes, with medium-to-high confidence, the ongoing surveillance operation to a Chinese threat group, based on the following artifacts and indicators:

• The command and control (C&C) servers were communicative only between 01:00 – 08:00 UTC, which we believe are the working hours in the attackers’ country, therefore the range of possible origins of this attack is limited.
• The C&C servers did not return any payload (even during working hours), specifically during the period between May 1st and May 5th – Labor Day holidays in China.
• Some test versions of the backdoor contained internet connectivity check with baidu.com – a leading Chinese web-site.
• The RoyalRoad RTF exploit kit, used to weaponize the documents in the attack, is associated mostly with Chinese APT groups.
• Some test versions of the backdoor from 2018 were uploaded to VirusTotal from China

Conclusion

All the evidence points to the fact that we are dealing with a highly organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try to create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. Overall, the attackers, who are believed to be a Chinese threat group, were very systematic in their approach.

Ultimately, CPR´s investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, which the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer.

CPR learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although CPR were able to block the surveillance operation for the Southeast Asian government described, it is possible that the threat group is using its new cyber espionage weapon on other targets around the world.

Check Point Harmony is the industry’s first unified security solution for users, devices and access, and has the ability to blocks attacks such as these from the very first step. It closes the security gaps that are usually left behind by multiple different point products from several different security vendors by blocking all exploit techniques across all attack vectors.