Show Me Hacker - A cybersecurity platform for hackers and cybersecurity professionals. Which include the latest hacking news, data breach, cyber attacks, malware attacks, computer security vulnerabilities, computer security news, and the latest cybersecurity news. Latest threat intelligence news, information security news feed, cybersecurity news headlines today, and trusted cybersecurity news worldwide.
Chinese Hackers Exploit MS Word Vulnerability to Drop Malware
Researchers discovered a new COVID-19 campaign to initiate the unknown malware in Windows by Chinese-based APT threat actors by taking advantage of Corona virus scare to deliver it.
This attack, suspected to have been initiated by the Long-running APT group that targets various government and private sectors, leverages the COVID-19 pandemic to infect the victims and cause the disease.
Collected evidence in this attack indicates the use of royal road, an rtf weaponized identified by anomali, to arm the rtf documents. Often named “8.t RTF exploit creator that’s mainly Used here to exploit Microsoft word’s equation editor vulnerabilities.
Few of the malicious documents were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign Affairs and the document contains information about the new Coronavirus infections.Infection Vectors
Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited, and the new file named intel.wll is dropped into the Word startup folder.
This is one of the new versions of the RoyalRoad weaponizer persistence technique that helps to launch all the DLL files with a WLLextension in the Word Startup folder whenever the MS word application is launched by the victim and trigger the infection chain.
Also, this technique prevents and terminates the process of malware from running in the sandbox.
After the intel.wll DLL loaded, it proceeds to download and decrypt the next stage of the infection chain from the C2 server ( 95.179.242[.]6).
In this next stage also a DLL file that is uncovered as the main loader of this malware framework developed by the APT actors, to gain the additional functionality from the other C2 servers.
According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received.
The malware contains the RAT Module which contains the following core capabilities;
Take a screenshot
List files and directories
Create and delete directories
Move and delete files
Download a file
Execute a new process
Get a list of all services
All the C&C servers were hosted on Vultr servers, and the domains were registered via the GoDaddy registrar.
Follow us on Twitter, Linkedin, Facebook for daily Security updates & Hacking news. Have you got something to say about this content? Let us know by the comment below.
You may like these posts
To insert a code use <i rel="pre">code_here</i>
To insert a quote use <b rel="quote">your_qoute</b>
