Researchers have found a new cyber espionage weapon they believe was developed and is being used by SharpPanda. A previously undiscovered Windows backdoor allows remote access and collection of large amounts of live data – but only during Chinese business hours, according to Security Week.
A Southeast Asian country’s Ministry of Foreign Affairs is the target of an ongoing campaign. It begins with the spear-phishing emailing of a weaponized document, but in some ways, it started earlier, with the attackers obtaining real documents from another department within the same government to give validity to the actual campaign.
The documents are weaponized with the RoyalRoad RTF exploit kit and then distributed in a spear phishing campaign to various targets in the ministry of Foreign Affairs. According to Check Point Research (CPR), opening the attachment triggers a sequence of in-memory loaders that leads to the delivery of the previously unknown backdoor.
The weaponized document contains embedded objects that attack Equation Editor vulnerabilities in Word (which, although old and fixed, is still used by Chinese APT outfits to obtain the backdoor’s downloader). This is the beginning of a complex multi-stage infection chain designed to make detection and analysis difficult.
How does the infection work?
The original name of the 5.t DLL is Download.dll. It begins with a typical anti-sandboxing technique for identifying code acceleration: it obtains the local time before and after a Sleep function call and checks to see if the Sleep was skipped. The loader then collects data from the victim’s computer, such as hostname, OS name and version, system type (32/64 bit), username, and MAC addresses of network adapters. It also looks up anti-virus information in WMI.
If the attacker decides that the victim is interesting, the next stage executable is returned in the same way. The executable loads the decrypted DLL into memory, begins execution from the StartW export function and notifies the server of the success of the operation.
The loader then encrypts the data with RC4 and the key 123456 before base64 encoding it.
The data is then transmitted to the following addresses using HTTP GET:
https://<C&C IP>/<working_folder>/Main.php?Data=<encrypted_data> with the User-Agent Microsoft Internet Explorer and then the loader gets the response from https://<C&C IP>/<working_folder>/buy/<hostname>.html.
If the cybercriminal is interested in the target PC, the server’s response contains the next-level executable in encrypted form, just as the data is provided to the C&C server.
To ensure the integrity of the received message, the loader uses the hash algorithm FNV-1A64 to determine if the prefix of the decrypted message is A257. Moreover, it computes the MD5 value of the message to ensure that it matches the value specified at the beginning of the message.
The plug-in design of the attack, the researchers warn, means that attackers could use the process to download and install any other module in addition to the VictoryDll backdoor, and the attack method could be used anywhere in the world.