Credit: Dreamstime
A Chinese threat group has been fingered by researchers at Check Point Software as the culprit behind a new cyber espionage weapon after the cyber security provider identified and blocked an ongoing surveillance operation targeting an unnamed Southeast Asian government.
It is believed that over the course of three years the attackers developed a previously unknown backdoor into the Windows software running on the PCs of victims, enabling live espionage, such as screenshotting, editing files and running commands, according to Check Point Research, the security vendor’s cyber threat intelligence team.
The evidence collated by Check Point Research suggests a highly organised operation that has placed significant effort in remaining under the radar.
Every few weeks, the security team noted, the attackers used spear-phishing emails, laced with weaponised versions of government-themed documents, to try to create a foothold into the Ministry of Foreign Affairs of the target country.
This meant that the attackers first had to attack another department within the targeted state, stealing and weaponising documents for use against the country’s Ministry of Foreign Affairs, according to Check Point’s research team.
Check Point Research’s investigation led to the discovery of a new cyber espionage weapon in the form the new Windows backdoor, which the threat group has been developing since 2017, it is believed.
The backdoor was formed and reformed time and again over the course of three years before it was used in the wild, and has become far more intrusive and capable of collecting a vast amount of data from an infected computer.
“The attackers, believed to be a Chinese threat group, systematically sent weaponised documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs,” Check Point Research said in a blog post.
The company said it suspects that the purpose of the operation it spotted was espionage through the installation of the previously unknown backdoor into the Windows software running on computers of victims.
“After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer,” the researchers said.
According to Check Point Research, email was used as the beginning of the infection chain, the campaign starting with malicious .docx document files being sent to different employees of the unnamed Southeast Asian government entity. The emails were spoofed to look like they were sent from other government-related entities.
The email attachments were weaponised copies of legitimate-looking official documents, using the ‘remote template’ technique to pull the next stage malware from the attacker’s server including a malicious code.
“Remote template is a feature by Microsoft that allows one to pull a template for the document from a remote server whenever the user open the document,” the company noted.
In the campaign observed by Check Point researchers, the remote templates in all the cases were Rich Text Format (RTF) files, which lets users exchange text files between different word processors in different operating systems.
According to the Check Point Research blog, the RTF files were weaponised using the variant of a tool named RoyalRoad, which let the attacker create customised documents with embedded objects that exploit the ‘Equation Editor’ vulnerabilities of Microsoft Word.
These vulnerabilities are a few years old, the company said, but they are still used by multiple attack groups, and are especially popular with Chinese advanced persistent threat (APT) groups.
However, the initial documents and RTF files were just the very start of an elaborated multi-stage infection-chain featured in the observed attacks. At the final stage of the infection chain, for example, the malicious loader should download, decrypt and load a DLL (Dynamic Link Library) file into memory.
Over the course of their investigations, the researchers learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage.
Although Check Point Research was able to block the surveillance operation for the unnamed Southeast Asian government mentioned in the vendor’s blog post, it is possible that the threat group is using its new cyber espionage weapon on other targets around the world.
The research comes as Microsoft works to bring together Asian nations to fight regional cyber threats, with policy makers from Brunei, Indonesia, Korea, Malaysia, the Philippines, Singapore and Thailand joining the vendor's freshly launched Asia Pacific Public Sector Cyber Security Executive Council in a bid to fight cyber threats in the region.
At least 15 policy makers from the countries listed above have become part of the council, which is supported by cyber security professionals from Microsoft.
The vendor’s goal, ostensibly, is to bring together a coalition of policy makers from government and state agencies, as well as technology and industry leaders, with the aim of building a strong communications channel for addressing cyber threats and sharing best practices across the participating countries.
