HomeTech PlusTECH & OTHER NEWSChinese cybercriminals spent three years creating a new backdoor to spy on...

Chinese cybercriminals spent three years creating a new backdoor to spy on governments

A new backdoor used in ongoing cyberespionage campaigns has been connected to Chinese threat actors. 

On Thursday, Check Point Research (CPR) said that the backdoor has been designed, developed, tested, and deployed over the past three years in order to compromise the systems of a Southeast Asian government’s Ministry of Foreign Affairs. 

The Windows-based malware’s infection chain began with spear phishing messages, impersonating other departments in the same government, in which members of staff were targeted with weaponized, official-looking documents sent via email. 

screenshot-2021-06-02-at-07-07-29.pngscreenshot-2021-06-02-at-07-07-29.png

If victims open the files, remote .RTF templates are pulled and a version of Royal Road, an RTF weaponizer, is deployed. 

The tool works by exploiting a set of vulnerabilities in Microsoft Word’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802). 

CPR says that Royal Road is “especially popular with Chinese [advanced persistent threat] APT groups.”

The RTF document contains shellcode and an encrypted payload designed to create a scheduled task and to launch time-scanning anti-sandboxing techniques, as well as a downloader for the final backdoor

Dubbed “VictoryDll_x86.dll,” the backdoor has been developed to contain a number of functions suitable for spying and the exfiltration of data to a command-and-control server (C2). 

These include the read/write and deletion of files; harvesting OS, process, registry key and services information, the ability to run commands through cmd.exe, screen grabbing, creating or terminating processes, obtaining the titles of top-level windows, and the option to close down PCs. 

The backdoor connects to a C2 to pass along stolen data and this server may also be used to grab and execute additional malware payloads. First stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider. 

CPR believes it is likely that the backdoor is the work of Chinese threat actors due to its limited operational schedule — 1.00 am — 8.00 am UTC — the use of Royal Road, and due to test versions of the backdoor, uploaded to VirusTotal in 2018, which contained connectivity checks with Baidu’s web address. 

“We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage,” commented Lotem Finkelsteen, head of threat intelligence at CPR. “Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyberespionage weapon on other targets around the world.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS