Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other decoys to install remote access malware.
The attacks are being carried out by an as yet undetected APT (Advanced Persistent Threat) group believed to be operating from China, which is linked to four separate spear-phishing campaigns.
These operations took place between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been government entities of the Russian Federation.
In all four cases, the ultimate goal of the campaigns was to infect the targets with a custom remote access Trojan (RAT) which most likely aided in the espionage operations.
The discovery and report come from analysts on the Malwarebytes Threat Intelligence team, who noticed the distinctive attempts of threat actors to spoof other hacking groups and go undetected.
The first of four campaigns attributed to this new APT began in February 2022, just days after the Russian invasion of Ukraine, distributing the RAT as “interactive_map_UA.exe”.
For the second wave, the APT had more time to prepare something more sophisticated. They used a tar.gz archive supposed to be a patch for the Log4Shell vulnerability sent by the Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation.
According to Malwarebytes, this campaign had narrow targeting because most of the associated emails reached employees of the RT television station, a Russian state-owned television network.
These emails contained a PDF with instructions on installing the Log4j patch and even included advice such as “do not open or reply to suspicious emails”.
“Given cybercriminals’ use of certain software and server-type vulnerabilities to access user information, a hotfix has been released to update a Windows 10 system that closes vulnerability CVE-2021-44228 (level severity 10.0)” reads the translated phishing document, as shown below.
The third campaign impersonates Rostec, a Russian state-owned defense conglomerate, and the actors used newly registered domains like “Rostec.digital” and fake Facebook accounts to spread their malware while making it look like it comes from the known entity.
Finally, in April 2022, Chinese hackers moved on to a macro-infected Word document containing a fake job posting from Saudi Aramco, a major oil and gas company.
The document used remote model injection to retrieve the malicious model and drop the VBS script on candidates applying for the “strategy and growth analyst” position.
Stealth Custom Payload
Malwarebytes was able to retrieve samples of the deleted payload from all four campaigns and reports that in all cases it is essentially the same DLL using different names.
The malware uses anti-analysis techniques such as control flow flattening via OLLVM and string obfuscation using XOR encoding.
In terms of commands the C2 can request from the payload, these include the following:
- get computer name – profile the host and assign a unique ID
- Download – receive a file from C2 and write it to the host disk
- execute – run a command line statement from the C2 and respond with the result
- exit – end the malware process
- ls – retrieve a list of all files under a specified directory and send it to C2
The C2 domains discovered by Malwarebytes were “windowsipdate[.]com”, “microsoftupdetes[.]com” and “mirror-exchange[.]com”.
Spoofing other pirates
The evidence that this new APT is a Chinese group comes from the infrastructure, but Malwarebytes’ trust is low.
What is clear is the threat author’s intention to hide their distinctive tracks by impersonating other hackers and using their malicious tools.
For example, some parts of the infrastructure used were previously connected to the Sakula RAT, used by the Chinese APT Deep Panda.
Another interesting discovery is that the new APT used the same Saudi Aramco wave macro builder as TrickBot and BazarLoader.
Finally, there’s the deployment of the wolfSSL library, which is usually seen exclusively in Lazarus or Tropic Trooper campaigns.