Welcome to the Future of Cyber Security. Providing solutions across...
Check Point Research (CPR) warns of a new cyber espionage weapon being used by a Chinese threat group, after it identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. Over the course of three years, the attackers developed a previously unknown backdoor into the Windows software running on the personal computers of its victims, enabling capabilities of live-espionage, such as screenshotting, editing files and running commands.
Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs.
CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.
The campaign started with malicious documents (.docx) being sent to different employees of a government entity in Southeast Asia. These emails were spoofed to look like they were sent from other government-related entities. The attachments of these emails were weaponized copies of legitimate-looking official documents and used the remote template technique to pull the next stage malware from the attacker’s server including a malicious code. Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document.
In this campaign, the remote templates in all the cases were Rich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems. The RTF files were weaponized using the variant of a tool named RoyalRoad, which allowed the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.
Despite the fact that these vulnerabilities are a few years old, they are still used by multiple attack groups, and are especially popular with Chinese APT groups.
The initial documents and RTF files are just the very start of an elaborated multi-stage infection-chain, which are further analyzed below.
At the final stage of the infection chain, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory.
In this attack, the backdoor module appears to be a custom-made and unique malware with the internal name “VictoryDll_x86.dll”.
The backdoor capabilities of this malware include the ability to:
CPR attributes, with medium-to-high confidence, the ongoing surveillance operation to a Chinese threat group, based on the following artifacts and indicators:
All the evidence points to the fact that we are dealing with a highly organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try to create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. Overall, the attackers, who are believed to be a Chinese threat group, were very systematic in their approach.
Ultimately, CPR´s investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, which the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer.
CPR learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although CPR were able to block the surveillance operation for the Southeast Asian government described, it is possible that the threat group is using its new cyber espionage weapon on other targets around the world.