We have seen multiple stories about coronavirus-related information being used to disguise malware-laced messages and apps, which are now being distributed by threat actors around the world. Well, Chinese state-sponsored hackers are keen to get in on the act—at least according to the team at Check Point. In research published today, March 12, the firm exposes a Chinese APT, which it says has “weaponized” documents “to deliver previously unknown malware.”
Check Point told me its research team had intercepted “a targeted cyber-attack by a Chinese APT group on a public sector entity of Mongolia.” An attack which “leveraged the coronavirus pandemic.” In this example of social engineering at the highest level, the APT sent two documents, “one related to COVID-19, both impersonating the Mongolian Ministry of Foreign Affairs in the form of press briefings.” Those documents contained unique, remote access malware.
This latest attack is the tip of a nasty iceberg, as hackers target a world of people concerned about their health and finances with coronavirus escalating into a global crisis. As Thomas Brewster reports for Forbes, “crooks and snoops have been rapidly registering vast numbers of potentially-malicious websites and sending out masses of scam emails as they try to make money from the pandemic.”
This particular Chinese APT coronavirus document, Check Point says, “was entitled ‘About the Spread of New Coronavirus Infections,’ and cites the National Health Committee of China.” We have now seen multiple malware attacks framed under similar advisory notices—this is the first, though, that can be attributed to state-sponsored hackers in a campaign against an overseas government.
This is, the firm says, “the latest iteration of what seems to be a long-running Chinese-based operation against a variety of governments and organizations worldwide. This specific campaign was leveraging the COVID-19 pandemic to lure victims to trigger the infection chain.”
Check Point’s Lotem Finkelsteen described the attack as “exploiting public interest in coronavirus for [China’s] own agenda through a novel cyber infection chain. The group has been targeting not just Mongolia but other countries world-wide. All public sector entities and telcos everywhere should be extra wary of documents and websites themed around coronavirus.”
These malware-laced documents appeared to come from Mongolia’s government, with a least one purporting to be from the country’s Minister of Foreign Affairs. The targets were other elements of Mongolia’s public sector, with the objective to take screenshots, exfiltrate, delete and edit files, and remotely execute processes.
Check Point attributes this to an unnamed Chinese APT group, which it links to previous operations “dating back to at least 2016—targeting different sectors in multiple countries, such as Ukraine, Russia, and Belarus.” The RTF files were “weaponized” by RoyalRoad, which “is commonly used by Chinese threat actors,” and which exploits “the Equation Editor vulnerabilities of Microsoft Word.”
The remote access trojan launched from within the attachment is coded to limit a daily contact window with its command and control server, making detection more difficult. The architecture of the payload suggests that other modules might be added later as part of the campaign. The trojan “appears to be a custom and unique malware,” albeit the threat specifics are not unusual.
Check Point’s Finkelstein told me the fact “the Chinese group behind this attack, dubbed Vicious Panda, hasn’t been affected by the COVID-19 epidemic is interesting in itself.” Through January and February this year, “the group has released a new cyber weapon, maintained its offensive infrastructure and leveraged the horrific situation to attack foreign countries and companies abroad.”
Check Point deconstructed other elements of the malicious campaign, including the C&C’s hosting and the GoDaddy registered domains. Ultimately, though, this is a state-sponsored malware campaign, socially engineered to encourage an attachment to be opened, a file to load, and a backdoor to be built through which China can spy on strategic government targets.
None of the top-level signposts are clear enough to offer categoric attribution, but Check Point says that digging into the code within the malware itself, they can match to previous campaigns that were attributed to China and which were directed at targets of strategic interest to Beijing.
The irony here that China is using coronavirus to disguise an offensive cyber campaign will not be lost on anyone—it being the root of the infection itself. But the subject matter is currently the most potent social engineering weapon available, and so this latest news comes as no surprise.