Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other lures to install remote access malware.
The attacks are being conducted by a previously undetected APT (advanced persistent threat) group believed to be operating from China, who are linked to four separate spear-phishing campaigns.
These operations spanned between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been government entities of the Russian Federation.
In all four cases, the ultimate goal of the campaigns was to infect the targets with a custom remote access trojan (RAT) which most likely aided in espionage operations.
The discovery and report come from analysts at the Malwarebytes Threat Intelligence team, who noticed the threat actors’ distinctive attempts to spoof other hacking groups and pass undetected.
The phishing campaigns
The first of the four campaigns attributed to this new APT began in February 2022, mere days after the Russian invasion of Ukraine, distributing the RAT under the name “interactive_map_UA.exe”.
For the second wave, the APT had more time to prepare something more sophisticated. They used a tar.gz archive that was supposed to be a fix for the Log4Shell vulnerability sent by the Ministry of Digital Development, Telecommunications, and Mass Communications of the Russian Federation.
According to Malwarebytes, this campaign had a narrow targeting as most of the associated emails reached employees of the RT TV station, a state-owned Russian television network.
Those emails contained a PDF with instructions on installing the Log4j patch and even included advice like “not to open or reply to suspicious emails”.
“Taking into account the use by cybercriminals of certain software and server-type vulnerabilities to gain access to user information, a software patch was released to update a Windows 10 system that closes the vulnerability CVE-2021-44228 (severity level 10.0),” reads the translated phishing document, as shown below.
The third campaign spoofs Rostec, a Russian state-owned defense conglomerate, and the actors used newly registered domains like “Rostec.digital” and fake Facebook accounts to spread their malware while making it look like it comes from the known entity.
Finally, in April 2022, the Chinese hackers switched to a macro-infected Word document containing a fake job advert by Saudi Aramco, a large oil and natural gas firm.
The document used remote template injection to fetch the malicious template and drop the VBS script onto candidates applying for the “Strategy and Growth Analyst” position.
Stealthy custom payload
Malwarebytes was able to retrieve samples of the dropped payload from all four campaigns and reports that in all cases, it is essentially the same DLL using different names.
The malware features anti-analysis techniques such as control flow flattening via OLLVM and string obfuscation using XOR encoding.
In terms of the commands that the C2 can request from the payload, these include the following:
getcomputername – profile the host and assign a unique ID
upload – receive a file from the C2 and write it onto the host’s disk
execute – execute a command-line instruction from the C2 and respond with the result
exit – terminate the malware process
ls – retrieve a list of all files under a specified directory and send it to the C2
The C2 domains discovered by Malwarebytes were “windowsipdate[.]com”, “microsoftupdetes[.]com”, and “mirror-exchange[.]com”.
Spoofing other hackers
The evidence that points to this new APT being a Chinese group stems from the infrastructure, but Malwarebytes’ confidence is low.
What is clear is the intention of the threat actor to hide its distinctive tracks by spoofing other hackers and using their malware tools.
For example, parts of the infrastructure used were previously linked to the Sakula RAT, used by the Deep Panda Chinese APT.
Another interesting finding is that the new APT used the same macro builder for the Saudi Aramco wave as TrickBot and BazarLoader.
Finally, there’s the deployment of the wolfSSL library, which is typically seen exclusively in Lazarus or Tropic Trooper campaigns.