Wednesday, December 6, 2023

Chinese APT Group Leverage Microsoft Office Vulnerabilities To Attack Government Agencies

The cybersecurity researchers of the Check Point research team have recently detected that the threat actors of the Chines APT hacking group, SharpPanda are performing cyber-espionage campaigns.

These Chinese APT threat actors are targeting the Southeast Asian government agencies. However, the main motive of these threat actors is to implant Windows backdoor programs to hijack all the essential information of the government agencies.

After investigating the matter the authorities came to know that the threat actors were active for at least three years, and were targeting different government agencies.

Apart from this, the analysts have also claimed that through this campaign the threat actors have utilized the Microsoft office exploits and loaders with the anti-analysis and anti-debugging methods to carry out their operations.

Infection Chain

Different employees of Southeast Asia received a malicious DOCX document, it was a campaign that was operated by the threat actors; however, the agency found it quite unsudden, and soon after they started their main investigation.

The threat actors have disguised the emails in such a way, that generally, people will think that it might be some government-related entities. 

But, in reality, the researchers reported that the APT hackers were using these emails as their weapon, and they also utilized the remote template method for the next stage of the operation.

Not only this, but the hackers also using a new variant of hacking tool, RoyalRoad, as it helped them to create a customized document with embedded objects in their operation.

Moreover, these documents exploit the equation editor vulnerability of Microsoft word; though these flaws are old but still used by the Chines APT threat actors.

The Backdoor and its abilities

In this attack, the last step is to download the backdoor that is the DLL file named “VictoryDll_x86.dll,” and this backdoor is the best backdoor as compare to the other.

Moreover, this backdoor has some specific abilities, and here we have mentioned them below:-

  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown PC

C&C Communication

In the C&C communication, the backdoor simply applies the same configuration that includes the server IP and port, and here are the configuration steps are mentioned below:-

  • Initially, it sends a “Start conversation” (0x540) message XORed to the server along with the hard-coded 256-byte key.
  • After that the server returns the “Get Victim Information” (0x541) message and the new 256-byte key, later it is being used for all the subsequent communication. 

The subsequent communication along with the C&C server has the following format:-

  • [Size] followed by XORed [TypeID] and [Data] (with 256-byte key).

The security analysts pronounced that here the attackers have performed different significant efforts to keep all their activities hidden, and that’s why they have changed their infrastructure many times from the time it’s get developed. 

Moreover, the vulnerabilities that were being used by the threat actors in this campaign are the old vulnerabilities, but they are still quite popular among Chine APT groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles