Hackers are phishing emails posing as Windows security updates and other enticements to install remote access malware on Russian government entities.
The assaults are being carried out by a previously unknown APT (advanced persistent threat) group based in China, which has been linked to four spear-phishing campaigns.
These actions took place between February and April 2022, during Russia’s invasion of Ukraine. Its targets have been Russian Federation government entities.
The eventual purpose of the campaigns in all four cases was to infect the targets with a custom remote access trojan (RAT), which was most likely used for espionage.
The threat actors’ distinct attempts to mimic other hacker groups and pass undetected were discovered by analysts at Malwarebytes Threat Intelligence, who made the discovery and report.
The phishing schemes
The first of four campaigns linked to this new APT began in February 2022, just days after Russia invaded Ukraine, and distributed the RAT as “interactive map UA.exe.”
The APT had more time to create something more complex for the second wave. They used a tar.gz archive given by the Russian Federation’s Ministry of Digital Development, Telecommunications, and Mass Communications as a fix for the Log4Shell vulnerability.
The majority of the related emails, according to Malwarebytes, were sent to workers of the RT TV station, a state-owned Russian television network.
Those emails included a PDF with instructions for installing the Log4j patch, as well as warnings such as “do not open or reply to questionable emails.”
The translated phishing document reads, “Taking into account the use by cybercriminals of certain software and server-type vulnerabilities to gain access to user information, a software patch was released to update a Windows 10 system that closes the vulnerability CVE-2021-44228 (severity level 10.0),” as shown below.
The third campaign is a spoof of Rostec, a Russian state-owned defense firm, in which the actors used freshly registered domains such as “Rostec.digital” and phony Facebook pages to spread malware that appeared to emanate from the real entity.
Finally, in April 2022, the Chinese hackers used a macro-infected Word document with a bogus job advertisement from Saudi Aramco, a major oil and gas company.
Remote template injection was utilized to get the malicious template and drop the VBS script onto candidates applying for the “Strategy and Growth Analyst” position.
Custom payload for stealth
Malwarebytes was able to recover samples of the dropped payload from all four campaigns and discovered that it is essentially the same DLL with different names in each case.
Control flow flattening using OLLVM and string obfuscation by XOR encoding are among the anti-analysis tactics used by the malware.
The following are directives that the C2 can request from the payload:
upload – accept a file from the C2 and write it to the host’s disk getcomputername – profile the host and assign a unique ID
execute – respond with the result exit after executing a command-line instruction from the C2. – kill the malware process ls – get a list of all files in a certain directory and send it to the C2
“windowsipdate[.]com,” “microsoftupdetes[.]com,” and “mirror-exchange[.]com” were among the C2 domains detected by Malwarebytes.
Hacking on other hackers
Infrastructure is the data that points to this new APT being a Chinese outfit, but Malwarebytes remains skeptical.
The threat actor’s attempt to obscure its distinguishing tracks by impersonating other hackers and employing their malware tools is evident.
Parts of the infrastructure were previously tied to the Sakula RAT, which was utilized by the Chinese APT Deep Panda.
Another intriguing observation is that the new APT used the same macro builder as TrickBot and BazarLoader for the Saudi Aramco wave.
Finally, there’s the use of the wolfSSL library, which is usually only encountered in Lazarus or Tropic Trooper campaigns.
