Thursday, March 28, 2024

Chinese APT Group Leverage Microsoft Office Vulnerabilities To Attack Government Agencies

The cybersecurity researchers of the Check Point research team have recently detected that the threat actors of the Chines APT hacking group, SharpPanda are performing cyber-espionage campaigns.

These Chinese APT threat actors are targeting the Southeast Asian government agencies. However, the main motive of these threat actors is to implant Windows backdoor programs to hijack all the essential information of the government agencies.

After investigating the matter the authorities came to know that the threat actors were active for at least three years, and were targeting different government agencies.

Apart from this, the analysts have also claimed that through this campaign the threat actors have utilized the Microsoft office exploits and loaders with the anti-analysis and anti-debugging methods to carry out their operations.

Infection Chain

Different employees of Southeast Asia received a malicious DOCX document, it was a campaign that was operated by the threat actors; however, the agency found it quite unsudden, and soon after they started their main investigation.

The threat actors have disguised the emails in such a way, that generally, people will think that it might be some government-related entities. 

But, in reality, the researchers reported that the APT hackers were using these emails as their weapon, and they also utilized the remote template method for the next stage of the operation.

Not only this, but the hackers also using a new variant of hacking tool, RoyalRoad, as it helped them to create a customized document with embedded objects in their operation.

Moreover, these documents exploit the equation editor vulnerability of Microsoft word; though these flaws are old but still used by the Chines APT threat actors.

The Backdoor and its abilities

In this attack, the last step is to download the backdoor that is the DLL file named “VictoryDll_x86.dll,” and this backdoor is the best backdoor as compare to the other.

Moreover, this backdoor has some specific abilities, and here we have mentioned them below:-

  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown PC

C&C Communication

In the C&C communication, the backdoor simply applies the same configuration that includes the server IP and port, and here are the configuration steps are mentioned below:-

  • Initially, it sends a “Start conversation” (0x540) message XORed to the server along with the hard-coded 256-byte key.
  • After that the server returns the “Get Victim Information” (0x541) message and the new 256-byte key, later it is being used for all the subsequent communication. 

The subsequent communication along with the C&C server has the following format:-

  • [Size] followed by XORed [TypeID] and [Data] (with 256-byte key).

The security analysts pronounced that here the attackers have performed different significant efforts to keep all their activities hidden, and that’s why they have changed their infrastructure many times from the time it’s get developed. 

Moreover, the vulnerabilities that were being used by the threat actors in this campaign are the old vulnerabilities, but they are still quite popular among Chine APT groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles