An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware.
According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.
The documents were “sent to different employees of a government entity in Southeast Asia,” according to the Check Point analysis. “In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
The malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.
“To decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,” researchers said. “The shellcode is also responsible for the persistence mechanism – it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.”
The .DLL gathers data on the victim’s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers’ command-and-control server (C2) via GET HTTP request method. After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called “Victory.” It “appears to be a custom and unique malware,” according to Check Point.
Victory Backdoor
The malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.
Interestingly, the malware appears to be related to previously developed tools.
“Searching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,” according to the analysis. “The files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.”
The specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient’s connection XOR key and VictoryDll’s initial XOR key are the same.
However, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory’s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.
“Overall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components – probably to complicate the analysis and decrease the detection rates at each stage,” the form said. “We may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.”
Attribution
Check Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 – 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 – which China’s Labor Day holidays.
On top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com – a popular Chinese website.
“We unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,” Check Point concluded. “In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.