A group of APT threats was recently discovered that used the coronavirus pandemic to spread their malware as part of spear phishing campaigns.
The world is currently experiencing an exceptional situation due to the current Covid-19 coronavirus pandemic. To try to stop the spread of the virus, a large number of companies around the world have launched a new mode of remote (remote) work. This circumstance has greatly expanded the attack surface, which is a big problem for companies in terms of information security, since they now need to establish strict rules and take to ensure the continuity of the enterprise and its IT systems.
However, the expanded attack surface is not the only cyber risk that has emerged in the past few days: many cybercriminals are actively exploiting this global uncertainty to launch phishing campaigns, distribute malware, and threaten the information security of many companies.
APT uses the pandemic
Late last week, an Advanced Persistent Threat (APT) group dubbed Vicious Panda was discovered and has been campaigning to using the coronavirus pandemic to spread their malware. The email to the recipient was informed that it contained information about the coronavirus, but in fact the email contained two malicious RTF files (Rich Text Format). If the victim opened these files, the Remote Access Trojan (RAT) was launched, which, among other things, is capable of taking screenshots, listing files and directories on the victim's computer, and downloading files.
So far, this campaign has been directed against the Mongolian public sector, and according to a number of Western experts, it represents the latest attack in the ongoing Chinese operation against various governments and organizations around the world. This time, the special feature of the campaign is that it uses the new world situation with the coronavirus to infect its potential victims more actively.
The phishing email looks like it was sent from the Mongolian Ministry of Foreign Affairs and claims to contain information about the number of people infected with the virus. To weaponize this file, the attackers used RoyalRoad, a popular tool among Chinese threat makers that allows them to create custom documents with embedded objects that can exploit vulnerabilities in the Equation Editor integrated into MS Word to create complex equations.
Survivability Techniques
Once the victim opens the malicious RTF files, Microsoft Word exploits a vulnerability to download a malicious file (intel.wll) to the Word startup folder (%APPDATA%MicrosoftWordSTARTUP). This method not only makes the threat persistent, but also prevents the entire infection chain from detonating when it runs in a sandbox, because Word must be restarted to fully run the malware.
The intel.wll file then loads a DLL file that is used to load malware and communicate with the hacker's control server. The operation of the control server is carried out for a strictly limited period of time every day, which makes it difficult to analyze and access the most complex parts of the infection chain.
Despite this, the researchers were able to establish that in the first stage of this chain, immediately after receiving the appropriate command, the RAT is loaded and decrypted, as well as the DLL is loaded, which is loaded into memory. The plugin-like architecture suggests that there are other modules in addition to the payload seen in this campaign.
Protective measures against the new APT
This malicious campaign has many tricks to infiltrate the systems of its victims and then compromise their information security. To protect against such campaigns, it is important to take a number of measures.
The first of them is extremely important: when receiving emails, it is important for employees to be attentive and careful. Email is one of the main attack vectors, but almost no company can do without mail. If you have received an email from an unknown sender, then it is best not to open it, and if you do open it, then do not open any attachments or click on any links.
To compromise the information security of its victims, this attack exploits a vulnerability in Word. In fact, unpatched vulnerabilities cause , and along with other security issues, they can lead to major data breaches. That is why it is so important to apply the appropriate patch to close the vulnerability as soon as possible.
To eliminate these problems, there are solutions specifically designed to identify, . The module automatically searches for patches necessary to ensure the security of computers in the company, prioritizing among the most urgent updates and scheduling their installation. Information about patches requiring installation is reported to the administrator even if exploits and malware are detected.
The solution can immediately start installing the required patches and updates, or you can schedule their installation from the centralized management web console, isolating unpatched computers if necessary. Thus, the administrator can manage patches and updates to keep the company running smoothly.
Unfortunately, the cyber attack in question will certainly not be the last to take advantage of the current global coronavirus situation to compromise the information security of businesses.
Source: habr.com