Sunday, May 19, 2024

Chinese APT Group Leverage Microsoft Office Vulnerabilities To Attack Government Agencies

The cybersecurity researchers of the Check Point research team have recently detected that the threat actors of the Chines APT hacking group, SharpPanda are performing cyber-espionage campaigns.

These Chinese APT threat actors are targeting the Southeast Asian government agencies. However, the main motive of these threat actors is to implant Windows backdoor programs to hijack all the essential information of the government agencies.

After investigating the matter the authorities came to know that the threat actors were active for at least three years, and were targeting different government agencies.

Apart from this, the analysts have also claimed that through this campaign the threat actors have utilized the Microsoft office exploits and loaders with the anti-analysis and anti-debugging methods to carry out their operations.

Infection Chain

Different employees of Southeast Asia received a malicious DOCX document, it was a campaign that was operated by the threat actors; however, the agency found it quite unsudden, and soon after they started their main investigation.

The threat actors have disguised the emails in such a way, that generally, people will think that it might be some government-related entities. 

But, in reality, the researchers reported that the APT hackers were using these emails as their weapon, and they also utilized the remote template method for the next stage of the operation.

Not only this, but the hackers also using a new variant of hacking tool, RoyalRoad, as it helped them to create a customized document with embedded objects in their operation.

Moreover, these documents exploit the equation editor vulnerability of Microsoft word; though these flaws are old but still used by the Chines APT threat actors.

The Backdoor and its abilities

In this attack, the last step is to download the backdoor that is the DLL file named “VictoryDll_x86.dll,” and this backdoor is the best backdoor as compare to the other.

Moreover, this backdoor has some specific abilities, and here we have mentioned them below:-

  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown PC

C&C Communication

In the C&C communication, the backdoor simply applies the same configuration that includes the server IP and port, and here are the configuration steps are mentioned below:-

  • Initially, it sends a “Start conversation” (0x540) message XORed to the server along with the hard-coded 256-byte key.
  • After that the server returns the “Get Victim Information” (0x541) message and the new 256-byte key, later it is being used for all the subsequent communication. 

The subsequent communication along with the C&C server has the following format:-

  • [Size] followed by XORed [TypeID] and [Data] (with 256-byte key).

The security analysts pronounced that here the attackers have performed different significant efforts to keep all their activities hidden, and that’s why they have changed their infrastructure many times from the time it’s get developed. 

Moreover, the vulnerabilities that were being used by the threat actors in this campaign are the old vulnerabilities, but they are still quite popular among Chine APT groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles