Checkpoint Reported that Chinese APT Hackers Exploit MS Word Bug to Drop Malware

Researchers discovered a recent COVID-19 program initiated by Chinese-based APT threat actors, taking advantage of Coronavirus scare to spread unknown Windows malware.

This attack is suspected to be launched by the Long-running APT community attacking separate government and private sectors, and the new attack leverages the COVID-19 pandemic to manipulate the victims and cause the outbreak.

Attackers also use modern malware methods in this effort to attack suspected RTF papers.

Collected information in this assault shows that the RTF records are fitted with Royal Road, an RTF armorer called Anomali. Often named’ 8.t RTF exploit creator, which is primarily used here to manipulate the bugs of the Microsoft Word Equation Editor.

Few malicious documents have been published in Mongolian, one of them allegedly from the Ministry of Foreign Affairs of Mongolia, and the paper includes information on recent Coronavirus infections.

lure doc

Infection Vectors

When the user opens a malicious RTF text, the Microsoft Word bug will be abused and the new file called intel.wll will be moved to the Word initialization tab.

infection process

It is one of the latest variants of the RoyalRoad Armor Persistence Technique that allows to open all DLL files with a WLL extension in the Word Startup folder if the user launches an MS Word program and causes an infection chain.

SEE ALSO:
Parts of Wikipedia Offline After 'Malicious' Attack

Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox.

After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6).

During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers.

It is one of the latest variants of the RoyalRoad arsenal persistence strategy that allows to open all DLL files with a WLL extension in the Word Startup folder once the user opens the MS Word program and starts the infection chain.

Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox.

After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6).

During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers.

According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received. “

Malware includes the RAT module comprising the following key capabilities;

  • Take a screenshot
  • List files and directories
  • Create and delete directories
  • Move and delete files
  • Download a file
  • Execute a new process
  • Get a list of all services
SEE ALSO:
Zoom Announced Two-Factor Authentication For All Accounts

Both C&C servers were hosted on Vultr servers and domains were registered through the GoDaddy registry.

Indicators of Compromise

RTFs:

234a10e432e0939820b2f40bf612eda9229db720
751155c42e01837f0b17e3b8615be2a9189c997a
ae042ec91ac661fdc0230bdddaafdc386fb442a3
d7f69f7bd7fc96d842fcac054e8768fd1ecaa88a
dba2fa756263549948fac6935911c3e0d4d1fa1f

DLLs:

0e0b006e85e905555c90dfc0c00b306bca062e7b
dde7dd81eb9527b7ef99ebeefa821b11581b98e0
fc9c38718e4d2c75a8ba894352fa2b3c9348c3d7
601a08e77ccb83ffcd4a3914286bb00e9b192cd6
27a029c864bb39910304d7ff2ca1396f22aa32a2
8b121bc5bd9382dfdf1431987a5131576321aefb
bf9ef96b9dc8bdbc6996491d8167a8e1e63283fe
fcf75e7cad45099bf977fe719a8a5fc245bd66b8
0bedd80bf62417760d25ce87dea0ce9a084c163c
5eee7a65ae5b5171bf29c329683aacc7eb99ee0c
3900054580bd4155b4b72ccf7144c6188987cd31
e7826f5d9a9b08e758224ef34e2212d7a8f1b728
a93ae61ce57db88be52593fc3f1565a442c34679
5ff9ecc1184c9952a16b9941b311d1a038fcab56
36e302e6751cc1a141d3a243ca19ec74bec9226a
080baf77c96ee71131b8ce4b057c126686c0c696
c945c9f4a56fd1057cac66fbc8b3e021974b1ec6
5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7
207477076d069999533e0150be06a20ba74d5378
b942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d
9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0
cf5fb4017483cdf1d5eb659ebc9cd7d19588d935
92de0a807cfb1a332aa0d886a6981e7dee16d621
cde40c325fcf179242831a145fd918ca7288d9dc
2426f9db2d962a444391aa3ddf75882faad0b67c
9eda00aae384b2f9509fa48945ae820903912a90
2e50c075343ab20228a8c0c094722bbff71c4a2a
2f80f51188dc9aea697868864d88925d64c26abc

RAT:

238a1d2be44b684f5fe848081ba4c3e6ff821917
Leave a Reply
Previous Post
Cyberattack

Czech Republic’s Biggest COVID-19 Testing Lab Hit by Cyberattack

Next Post
ProtonVPN

ProtonMail is Deploying a New System to Help Users to Keep their Personal Information Safe

Related Posts