A group of APT threats was recently discovered that used the coronavirus pandemic to spread their malware as part of spear phishing campaigns.
The world is currently experiencing an exceptional situation due to the current Covid-19 coronavirus pandemic. To try to stop the spread of the virus, a large number of companies around the world have launched a new mode of remote (remote) work. This circumstance has greatly expanded the attack surface, which is a big problem for companies in terms of information security, since they now need to establish strict rules and take
However, the expanded attack surface is not the only cyber risk that has emerged in the past few days: many cybercriminals are actively exploiting this global uncertainty to launch phishing campaigns, distribute malware, and threaten the information security of many companies.
APT uses the pandemic
Late last week, an Advanced Persistent Threat (APT) group dubbed Vicious Panda was discovered and has been campaigning to
So far, this campaign has been directed against the Mongolian public sector, and according to a number of Western experts, it represents the latest attack in the ongoing Chinese operation against various governments and organizations around the world. This time, the special feature of the campaign is that it uses the new world situation with the coronavirus to infect its potential victims more actively.
The phishing email looks like it was sent from the Mongolian Ministry of Foreign Affairs and claims to contain information about the number of people infected with the virus. To weaponize this file, the attackers used RoyalRoad, a popular tool among Chinese threat makers that allows them to create custom documents with embedded objects that can exploit vulnerabilities in the Equation Editor integrated into MS Word to create complex equations.
Survivability Techniques
Once the victim opens the malicious RTF files, Microsoft Word exploits a vulnerability to download a malicious file (intel.wll) to the Word startup folder (%APPDATA%MicrosoftWordSTARTUP). This method not only makes the threat persistent, but also prevents the entire infection chain from detonating when it runs in a sandbox, because Word must be restarted to fully run the malware.
The intel.wll file then loads a DLL file that is used to load malware and communicate with the hacker's control server. The operation of the control server is carried out for a strictly limited period of time every day, which makes it difficult to analyze and access the most complex parts of the infection chain.
Despite this, the researchers were able to establish that in the first stage of this chain, immediately after receiving the appropriate command, the RAT is loaded and decrypted, as well as the DLL is loaded, which is loaded into memory. The plugin-like architecture suggests that there are other modules in addition to the payload seen in this campaign.
Protective measures against the new APT
This malicious campaign has many tricks to infiltrate the systems of its victims and then compromise their information security. To protect against such campaigns, it is important to take a number of measures.
The first of them is extremely important: when receiving emails, it is important for employees to be attentive and careful. Email is one of the main attack vectors, but almost no company can do without mail. If you have received an email from an unknown sender, then it is best not to open it, and if you do open it, then do not open any attachments or click on any links.
To compromise the information security of its victims, this attack exploits a vulnerability in Word. In fact, unpatched vulnerabilities cause
To eliminate these problems, there are solutions specifically designed to identify,
The solution can immediately start installing the required patches and updates, or you can schedule their installation from the centralized management web console, isolating unpatched computers if necessary. Thus, the administrator can manage patches and updates to keep the company running smoothly.
Unfortunately, the cyber attack in question will certainly not be the last to take advantage of the current global coronavirus situation to compromise the information security of businesses.
Source: habr.com