Researchers discovered a recent COVID-19 program initiated by Chinese-based APT threat actors, taking advantage of Coronavirus scare to spread unknown Windows malware.
This attack is suspected to be launched by the Long-running APT community attacking separate government and private sectors, and the new attack leverages the COVID-19 pandemic to manipulate the victims and cause the outbreak.
Attackers also use modern malware methods in this effort to attack suspected RTF papers.
Collected information in this assault shows that the RTF records are fitted with Royal Road, an RTF armorer called Anomali. Often named’ 8.t RTF exploit creator, which is primarily used here to manipulate the bugs of the Microsoft Word Equation Editor.
Few malicious documents have been published in Mongolian, one of them allegedly from the Ministry of Foreign Affairs of Mongolia, and the paper includes information on recent Coronavirus infections.
Infection Vectors
When the user opens a malicious RTF text, the Microsoft Word bug will be abused and the new file called intel.wll will be moved to the Word initialization tab.
It is one of the latest variants of the RoyalRoad Armor Persistence Technique that allows to open all DLL files with a WLL extension in the Word Startup folder if the user launches an MS Word program and causes an infection chain.
Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox.
After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6).
During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers.
It is one of the latest variants of the RoyalRoad arsenal persistence strategy that allows to open all DLL files with a WLL extension in the Word Startup folder once the user opens the MS Word program and starts the infection chain.
Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox.
After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6).
During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers.
According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received. “
Malware includes the RAT module comprising the following key capabilities;
- Take a screenshot
- List files and directories
- Create and delete directories
- Move and delete files
- Download a file
- Execute a new process
- Get a list of all services
Both C&C servers were hosted on Vultr servers and domains were registered through the GoDaddy registry.
Indicators of Compromise
RTFs:
234a10e432e0939820b2f40bf612eda9229db720 751155c42e01837f0b17e3b8615be2a9189c997a ae042ec91ac661fdc0230bdddaafdc386fb442a3 d7f69f7bd7fc96d842fcac054e8768fd1ecaa88a dba2fa756263549948fac6935911c3e0d4d1fa1f
DLLs:
0e0b006e85e905555c90dfc0c00b306bca062e7b dde7dd81eb9527b7ef99ebeefa821b11581b98e0 fc9c38718e4d2c75a8ba894352fa2b3c9348c3d7 601a08e77ccb83ffcd4a3914286bb00e9b192cd6 27a029c864bb39910304d7ff2ca1396f22aa32a2 8b121bc5bd9382dfdf1431987a5131576321aefb bf9ef96b9dc8bdbc6996491d8167a8e1e63283fe fcf75e7cad45099bf977fe719a8a5fc245bd66b8 0bedd80bf62417760d25ce87dea0ce9a084c163c 5eee7a65ae5b5171bf29c329683aacc7eb99ee0c 3900054580bd4155b4b72ccf7144c6188987cd31 e7826f5d9a9b08e758224ef34e2212d7a8f1b728 a93ae61ce57db88be52593fc3f1565a442c34679 5ff9ecc1184c9952a16b9941b311d1a038fcab56 36e302e6751cc1a141d3a243ca19ec74bec9226a 080baf77c96ee71131b8ce4b057c126686c0c696 c945c9f4a56fd1057cac66fbc8b3e021974b1ec6 5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7 207477076d069999533e0150be06a20ba74d5378 b942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d 9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 cf5fb4017483cdf1d5eb659ebc9cd7d19588d935 92de0a807cfb1a332aa0d886a6981e7dee16d621 cde40c325fcf179242831a145fd918ca7288d9dc 2426f9db2d962a444391aa3ddf75882faad0b67c 9eda00aae384b2f9509fa48945ae820903912a90 2e50c075343ab20228a8c0c094722bbff71c4a2a 2f80f51188dc9aea697868864d88925d64c26abc
RAT:
238a1d2be44b684f5fe848081ba4c3e6ff821917
