Site icon Check Point Blog

Chinese APT group targets Southeast Asian government with previously unknown backdoor

Check Point Research (CPR) warns of a new cyber espionage weapon being used by a Chinese threat group, after it identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. Over the course of three years, the attackers developed a previously unknown backdoor into the Windows software running on the personal computers of its victims, enabling capabilities of live-espionage, such as screenshotting, editing files and running commands.

Introduction

Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs. CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.

Using email to kick off the infection chain

The campaign started with malicious documents (.docx) being sent to different employees of a government entity in Southeast Asia. These emails were spoofed to look like they were sent from other government-related entities. The attachments of these emails were weaponized copies of legitimate-looking official documents and used the remote template technique to pull the next stage malware from the attacker’s server including a malicious code.  Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document.

Figure 1: Examples of lure documents sent to the victims

Weaponizing RTF files

In this campaign, the remote templates in all the cases were Rich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems. The RTF files were weaponized using the variant of a tool named RoyalRoad, which allowed the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.

Despite the fact that these vulnerabilities are a few years old, they are still used by multiple attack groups, and are especially popular with Chinese APT groups.

The initial documents and RTF files are just the very start of an elaborated multi-stage infection-chain, which are further analyzed below.

Figure 2: Diagram of full infection chain (Note: Dynamic Link Library (DLL) is a file format used for holding multiple codes and procedures for Windows programs)

Victory enters from the backdoor

At the final stage of the infection chain, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory.

In this attack, the backdoor module appears to be a custom-made and unique malware with the internal name “VictoryDll_x86.dll”.

The backdoor capabilities of this malware include the ability to:

Attribution

CPR attributes, with medium-to-high confidence, the ongoing surveillance operation to a Chinese threat group, based on the following artifacts and indicators:

Conclusion

All the evidence points to the fact that we are dealing with a highly organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try to create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. Overall, the attackers, who are believed to be a Chinese threat group, were very systematic in their approach.

Ultimately, CPR´s investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, which the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. CPR learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although CPR were able to block the surveillance operation for the Southeast Asian government described, it is possible that the threat group is using its new cyber espionage weapon on other targets around the world.

Check Point Harmony is the industry’s first unified security solution for users, devices and access, and has the ability to blocks attacks such as these from the very first step. It closes the security gaps that are usually left behind by multiple different point products from several different security vendors by blocking all exploit techniques across all attack vectors.

Exit mobile version