Chinese APT Group Leverage Microsoft Office Vulnerabilities To Attack Government Agencies

The cybersecurity researchers of the Check Point research team have recently detected that the threat actors of the Chines APT hacking group, SharpPanda are performing cyber-espionage campaigns.

These Chinese APT threat actors are targeting the Southeast Asian government agencies. However, the main motive of these threat actors is to implant Windows backdoor programs to hijack all the essential information of the government agencies.

After investigating the matter the authorities came to know that the threat actors were active for at least three years, and were targeting different government agencies.

Apart from this, the analysts have also claimed that through this campaign the threat actors have utilized the Microsoft office exploits and loaders with the anti-analysis and anti-debugging methods to carry out their operations.

Infection Chain

Different employees of Southeast Asia received a malicious DOCX document, it was a campaign that was operated by the threat actors; however, the agency found it quite unsudden, and soon after they started their main investigation.

The threat actors have disguised the emails in such a way, that generally, people will think that it might be some government-related entities. 

But, in reality, the researchers reported that the APT hackers were using these emails as their weapon, and they also utilized the remote template method for the next stage of the operation.

Not only this, but the hackers also using a new variant of hacking tool, RoyalRoad, as it helped them to create a customized document with embedded objects in their operation.

Moreover, these documents exploit the equation editor vulnerability of Microsoft word; though these flaws are old but still used by the Chines APT threat actors.

The Backdoor and its abilities

In this attack, the last step is to download the backdoor that is the DLL file named “VictoryDll_x86.dll,” and this backdoor is the best backdoor as compare to the other.

Moreover, this backdoor has some specific abilities, and here we have mentioned them below:-

• Get screenshots
• Pipe Read/Write – run commands through cmd.exe
• Create/Terminate Process
• Get TCP/UDP tables
• Get CDROM drives data
• Delete/Create/Rename/Read/Write Files and get files attributes
• Get processes and services information
• Get registry keys info
• Get titles of all top-level windows
• Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
• Shutdown PC

C&C Communication

In the C&C communication, the backdoor simply applies the same configuration that includes the server IP and port, and here are the configuration steps are mentioned below:-

• Initially, it sends a “Start conversation” (0x540) message XORed to the server along with the hard-coded 256-byte key.

• After that the server returns the “Get Victim Information” (0x541) message and the new 256-byte key, later it is being used for all the subsequent communication.

The subsequent communication along with the C&C server has the following format:-

• [Size] followed by XORed [TypeID] and [Data] (with 256-byte key).

The security analysts pronounced that here the attackers have performed different significant efforts to keep all their activities hidden, and that’s why they have changed their infrastructure many times from the time it’s get developed. 

Moreover, the vulnerabilities that were being used by the threat actors in this campaign are the old vulnerabilities, but they are still quite popular among Chine APT groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.