An advanced persistent threat (APT) group is leveraging the coronavirus pandemic to infect victims with a previously unknown malware, in a recently discovered campaign that researchers call “Vicious Panda.”
Researchers identified two suspicious Rich Text Format files (RTF — a text file format used by Microsoft products) targeting the Mongolian public sector. Once opened, a custom and unique remote-access trojan (RAT) is executed that takes screenshots of the device, develops a list of files and directories, downloads files and more.
“In this campaign, we observed the latest iteration of what seems to be a long-running Chinese-based operation against a variety of governments and organizations worldwide,” said researchers with Check Point Research, in a Thursday post. “This specific campaign leverages the COVID-19 pandemic to lure victims to trigger the infection chain.”
The emails allege to be from the Mongolian Ministry of Foreign Affairs, and claim to inform victims about the prevalence of new coronavirus infections. The RTF files attached to the email were actually weaponized using a version of a tool named RoyalRoad. This tool, commonly used by various Chinese threat actors, allows the attacker to create customized documents with embedded objects that exploit unspecified vulnerabilities in Equation Editor, a tool for building complex equations in Microsoft Word.
After the victim opens the specially crafted RTF document, and the Microsoft Word vulnerability is exploited, a malicious file (intel.wll) is dropped into the Microsoft Word startup folder (%APPDATA%\Microsoft\Word\STARTUP).
“This not only serves as a persistence technique, but also prevents the infection chain from fully ‘detonating’ if run inside a sandbox, as a relaunch of Microsoft Word is required for the full execution of the malware,” said researchers.
The file, intel.wll, then downloads a DLL file, which serves as the loader for the malware, and which also communicates with the threat actor’s command-and-control (C2) server.
“The threat actor operates the C&C server in a limited daily window, going online only for a few hours each day, making it harder to analyze and gain access to the advanced parts of the infection chain,” said researchers. “At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received.”
When looking at attribution, researchers compared the campaign to one from 2017 where threat actors were targeting the government of Belarus using the CMSTAR trojan. Researchers said they found infrastructure and code similarities in the payload between the two campaigns.
“A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016,” they said. “Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia and Belarus.”
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.