Monday, October 7, 2024
HomeMalwareLuckyMouse Chinese APT Malware Launching Weaponized Waterholing Attack on Government Data Center

LuckyMouse Chinese APT Malware Launching Weaponized Waterholing Attack on Government Data Center

Published on

Chinese APT actor LuckyMouse also known as EmissaryPanda & APT27 campaign targeting government entities and national data center by inserting malicious scripts to compromise an official website and performing Watering hole Attack.

Watering hole Attack is specifically targeting the businesses and organizations group by infecting carefully selected websites and the attackers run exploits on well-known & trusted sites that they targeted audience used to visit regularly.

Attackers main motivation behind this attack is to gain access to the government resource and stealing the sensitive information.

- Advertisement - EHA

Threat actor also using Powerful remote administration tool (RAT) called HyperBro Trojan that is regularly used by a variety of Chinese-speaking actors to create a backdoor.

LuckyMouse already targeted the government entities in central Asia and based on the Watering hole of government websites and the corresponding dates is to access the web pages via the data center and inject JavaScripts into them.

How Does this Watering hole Attack Champaign Works

Initially unknown distribution vector launching the weaponized Microsoft Office Equation Editor documents with CVE-2017-118822 which is widely used by Chinese-speaking actors since December 2017.

In this case, attacker targeting the data center employees by using Watering hole Attack and the C&C  server resolving IP address belongs to Ukrainian ISP network.

This network was controlled by Mikrotik router using firmware version 6.34.4 which was hacked to process the malware’s HTTP requests for this Waterhole champaign.

Once the infection started, this module drops the 3 files and the trojan is injected into svchost.exe’s process memory.

  • a legit Symantec pcAnywhere (IntgStat.exe)
  • a .dll launcher (pcalocalresloader.dll)
  • decompressor (thumb.db)

Malware performing various anti-detection stages which are shown in the above picture that contains three dropped modules.

According to Kaspersky,The websites were compromised to redirect visitors to instances of both ScanBox and BEeF.
                         The script that infected into compromised government websites

Finally, visitors of the infected government website will be redirected and these redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. Kaspersky researchers said.

Also Read:

Powerful APT Malware “Slingshot” Performs Highly Sophisticated Cyber Attack to Compromise Router

Russia Launch Heavy Cyber Attack on Singapore During Donald Trump & Kim Summit

MuddyWater Malware Attack Launch PowerShell Script to Open Backdoor in Windows PC via MS Word Document

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...