A new backdoor connected to China threat actors is used in cyberespionage campaigns. The malware has been designed, developed, tested, and deployed over the past three years, researchers determined.
Check Point Research (CPR) team stated that a backdoor was developed to compromise the Windows systems of Southeast Asian’s Foreign Affairs Ministry. CPR attributes this campaign to the Chinese APT SharpPanda.
The campaign started with spear-phishing emails impersonating various governmental departments which tricked users into opening weaponized, official-looking documents.
If victims open the files, they are prompted to download remote .RTF templates containing Royal Road, an RTF weaponizer.
The tool exploits a set of vulnerabilities in Word’s Equation Editor tracked as CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.
CPR says that Royal Road is especially popular with Chinese advanced persistent threat groups.
Shellcode and an encrypted payload from RTFs then create a scheduled task, launch time-scanning techniques, and deploy a downloader for the backdoor. This new backdoor is called VictoryDll_x86.dll and can allow an attacker to secretly exfiltrate data to a command-and-control server (C2) and spy in real-time.
Other capabilities allow the attacker to perform various tasks, such as creating or terminating processes, deleting, reading or writing files, harvesting OS, process, registry key and services information, closing down a PC, and more.
The backdoor can exfiltrate this data to a C2 and execute other malware payloads.
The first stage C2s are located in Hong Kong and Malaysia, and the backdoor’s C2 server is in the US.
It is likely that the backdoor was developed by Chinese threat actors because of a specific operational schedule the researchers observed.
According to Finkelsteen, the attackers are also interested in listening in on a target’s computer:
“We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage,” commented Lotem Finkelsteen, head of threat intelligence at CPR.
He added it is possible that the threat group is still carrying out similar activities against other countries as well:
“Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyberespionage weapon on other targets around the world.”