Researchers from Check Point Research (CPR) discovered a new backdoor while investigating a cyber espionage campaign conducted by Chinese APT group SharpPanda and aimed at Southeast Asian government’s Ministry of Foreign Affairs.
The attackers use spear-phishing messages and leverage exploits for old Microsoft Office vulnerabilities, along with the chain of in-memory loaders to deliver a previously unknown backdoor on target’s machines.
The spear-phishing messages impersonate departments of the targeted governments.
“Our investigation shows the operation was carried out by what we believe is a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years.” reads the analysis published by CheckPoint. “The investigation starts from the campaign of malicious DOCX documents that are sent to different employees of a government entity in Southeast Asia. In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
Upon opening the bait files, the malicious code loads remote .RTF templates weaponized using a variant of a tool named RoyalRoad, which is commonly used by Chinese APT groups The tool was used by the Chinese threat actors to create weaponized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. Despite the fact that these vulnerabilities are few years old, they are still used by multiple attack groups, and especially popular with Chinese APT groups.
All the documents created with the RoyalRoad RTFs include encrypted payload and shellcode. The encrypted payload creates a scheduled task and checks the presence of a sandbox before starting the process to drop the final custom backdoor (VictoryDll_x86.dll).
The backdoor supports multiple functions that allow to spy on the victims and steal sensitive data, including:
The backdoor sends stolen data back to the C2 that could be used to deliver additional malware. Experts noticed that first-stage C2 servers are hosted in Hong Kong and Malaysia, while the C2 for the final backdoor is hosted by a US provider.
The threat actor operates the C&C servers in a limited daily window (1.00 am — 8.00 am UTC), making it harder to gain access to the advanced parts of the infection chain.
Checkpoint researchers also reported that samples of the threat were uploaded to VirusTotal from China in 2018, they contained connectivity checks with Baidu’s web address, a circumstance that suggests the involvement of China-linked APT. The C2 servers did not return any payload specifically between May 1st and 5th which is the period when the Labor Day holidays in China took place.
“We unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than 3 years. In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.” concludes the report.
“Analyzing the backdoor’s code evolution since its first appearance in the wild showed how it transformed from a single executable to a multi-stage attack, making it harder to detect and investigate.”
(SecurityAffairs – hacking, SharpPanda APT)