New Delhi: After identifying and blocking an ongoing surveillance operation targeting a Southeast Asian government, cyber security firm – Check Point Research (CPR) has issued a warning about a new cyber espionage weapon being employed by a Chinese threat organisation.
According to CPR research the attackers established a previously undiscovered backdoor into the Windows software operating on the victims’ PCs over the course of three years, providing live-espionage capabilities such as screenshotting, altering files, and performing commands.
The attackers started by mailing weaponized documents to numerous members of the target government’s Ministry of Foreign Affairs, masquerading other entities within the same administration.
How It Works:
Malicious papers (.docx) were delivered to several workers of a government organisation in Southeast Asia to start the campaign. These emails were spoofing to appear as if they came from other government-related organisations. These emails’ attachments were weaponized versions of official-looking documents, and they used the remote template approach to download the next stage malware from the attacker’s site, which included dangerous code. When a user opens a document, Microsoft’s remote template capability allows them to get a template for the document from a remote server.
The CPR report said all of the information suggests that we’re dealing with a well-organized enterprise that made a concerted attempt to stay under the radar. Every few weeks, the attackers sent spear-phishing emails filled with weaponized versions of government-themed documents in an attempt to get access to the target country’s Ministry of Foreign Affairs. As a result, the attackers had to first target another agency within the targeted state, stealing and weaponizing papers to use against the Ministry of Foreign Affairs. The attackers, who are thought to be a Chinese threat cell, were extremely methodical in their approach.
CPR’s study eventually led to the discovery of a new Windows backdoor, or cyber espionage weapon, that the Chinese threat group has been working on since 2017. Before it was utilised in the wild, the backdoor was built and reconstructed several times over the period of three years. This backdoor is significantly more intrusive, and it can collect a large quantity of data from a machine infected with it. CPR discovered that the attackers aren’t just interested in cold data; they’re also interested in what’s going on on the target’s computer right now, resulting in live espionage.
The backdoor capabilities of this malware include the ability to:
- Delete/Create/Rename/Read/Write Files and get files attributes.
- Get processes and services information.
- Get screenshots
- Pipe Read/Write – run commands through cmd.exe
- Create/Terminate Process.
- Shutdown PC