An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers observed – using a previously unknown espionage malware.
Researchers said the malware has been under development for at least 3 years.
States Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. Most notable, researchers commented, is the novel backdoor, which they outlined has been in development by a Chinese APT for at least 3 years.
E-mails are Spoofed
The documents were “sent to different employees of a govt. entity in SE Asia,” according to the Check Point analysis.
“In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponised copies of legitimate looking official documents & use the remote template technique to pull the next stage from the attacker’s server.”
The malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the Royal Road weaponiser, also known as the 8.t Dropper/RTF exploit builder.
Royal Road is a tool that researchers have said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428; it generates weaponised RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 & CVE-2018-0802).
The Royal Road-generated RTF document contains an encrypted payload & shellcode, according to the analysis.
“To decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, & the resulted DLL file is saved as 5.t in the %Temp% folder,” researchers explained. “The shellcode is also responsible for the persistence mechanism – it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.”
The .DLL gathers data on the victim’s computer including the OS name & version, username, MAC addresses of networking adapters & antivirus information. All of the data is encrypted & then sent to the attackers’ command-&-control server (C2) via GET HTTP request method. Then, a multi-stage chain eventually results in the installation of the backdoor module, which is called “Victory.” It “appears to be a custom & unique malware,” according to Check Point.
The malware is built to steal information & provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, re-naming & reading them), gather information on the top-level windows that are open, & shut down the computer.
Interestingly, the malware appears to be related to previously developed tools.
“Searching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to Virus Total in 2018,” according to the analysis. “The files were named by the author as MClient & appear to be part of a project internally called SharpM, according to their PDB paths.
Compilation timestamps also show a similar timeframe between July 2017 & June 2018, & upon examination of the files, they were found to be older test versions of our VictoryDll backdoor & its loaders chain.”
The specific implementation of the main backdoor functionality is identical; &, the connection method has the same format, explained the firm. Also, MClient’s connection XOR key & VictoryDll’s initial XOR key are the same.
However, there are differences between the 2 in terms of architecture, functionality & naming conventions. For instance, MClient features a keylogger, which is absent for Victory. Victory’s exported function is named Main Thread, while in all versions of the MClient variant the export function was named ‘Get CPUID’, according to Check Point.
“Overall, we can see that in these 3 years, most of the functionality of MClient and AutoStartup_DLL was preserved & split between multiple components – probably to complicate the analysis & decrease the detection rates at each stage,” the form said. “We may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.”
Attribution of Campaign
Check Point has attributed the campaign to a Chinese APT. One of the clues is that the 1st-stage C2 servers are hosted by 2 different cloud services, located in Hong Kong & Malaysia.
These are active in only a limited daily window, returning payloads only from 01:00 – 08:00 UTC Mon. through Fri., which corresponds with the Chinese workday. Also, Check Point outlined that the servers went dormant in the period between May 1-5 – which China’s Labour Day holidays.
Exploit Building Kit
Also, the Royal Road RTF exploit building kit is a tool of choice among Chinese APT groups; & some test versions of the backdoor contained internet connectivity check with www.baidu.com – a popular Chinese website.
“We unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than 3 years,” Check Point concluded. “In this campaign, the attackers utilised the set of Microsoft Office exploits and loaders with anti-analysis & anti-debugging techniques to install a previously unknown backdoor.”