A new backdoor was discovered on the Myanmar president’s website. A suspected Chinese cyber-espionage group planted a backdoor Trojan inside a localized Myanmar font package available to site visitors for download.
Slovak security firm ESET detected the intrusion on June 2, 2021, and notified the maintainers of the website.
The Myanmar president’s office was hacked for the second time in less than three years yesterday. Previously, it was attacked by a suspected Chinese cyber-espionage group and infected with a version of the EvilGrab malware between November 2014 and May 2015.
The yesterday’s attack used a variety of malware strains that have been used in previous campaigns against Myanmar targets by a Chinese state-backed hacking group known under monickers Mustang Panda, RedEcho, and Bronze President, researchers said. However, ESET has yet to officially state Mustang Panda’s involvement with high confidence.
The group, which has a long history of attacking governments and organizations with well-crafted email-based attacks, this time around has modified a downloadable Unicode font package on the Myanmar president’s website.
An attacker has added a Cobalt Strike loader named Acrobat.dll file, which could allow them to execute a shellcode:
“In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote on Twitter yesterday.
This loader pinged back to a command and control server at 95.217.1[.]81, researchers said.
They also noted the malware loader samples were similar to those delivered as file attachments in spear-phishing emails in the past.
The archives contained in the downloaded folder – Hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar” – indicate an advanced and stealthy cyber-espionage operation.
The website is still compromised and users are warned not to download and install any packages from it.