-->

Chinese Hackers Exploit MS Word Vulnerability to Drop Malware


Researchers discovered a new COVID-19 campaign to initiate the unknown malware in Windows by Chinese-based APT threat actors by taking advantage of Corona virus scare to deliver it.


This attack, suspected to have been initiated by the Long-running APT group that targets various government and private sectors, leverages the COVID-19 pandemic to infect the victims and cause the disease.

Collected evidence in this attack indicates the use of royal road, an rtf weaponized identified by anomali, to arm the rtf documents. Often named “8.t RTF exploit creator that’s mainly Used here to exploit Microsoft word’s equation editor vulnerabilities.

Few of the malicious documents were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign Affairs and the document contains information about the new Coronavirus infections.
Infection Vectors

Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited, and the new file named intel.wll is dropped into the Word startup folder.
This is one of the new versions of the RoyalRoad weaponizer persistence technique that helps to launch all the DLL files with a WLLextension in the Word Startup folder whenever the MS word application is launched by the victim and trigger the infection chain.

Also, this technique prevents and terminates the process of malware from running in the sandbox.

After the intel.wll DLL loaded, it proceeds to download and decrypt the next stage of the infection chain from the C2 server ( 95.179.242[.]6).

In this next stage also a DLL file that is uncovered as the main loader of this malware framework developed by the APT actors, to gain the additional functionality from the other C2 servers.

According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received.

The malware contains the RAT Module which contains the following core capabilities;
  • Take a screenshot
  • List files and directories
  • Create and delete directories
  • Move and delete files
  • Download a file
  • Execute a new process
  • Get a list of all services
All the C&C servers were hosted on Vultr servers, and the domains were registered via the GoDaddy registrar.

Indicators of Compromise

RTFs:
234a10e432e0939820b2f40bf612eda9229db720751155c42e01837
f0b17e3b8615be2a9189c997aae042ec91ac661fdc0230bdddaafdc3
86fb442a3d7f69f7bd7fc96d842fcac054e8768fd1ecaa88adba2fa75
6263549948fac6935911c3e0d4d1fa1f

DLLs:
0e0b006e85e905555c90dfc0c00b306bca062e7bdde7dd81eb9527b7ef9
9ebeefa821b11581b98e0fc9c38718e4d2c75a8ba894352fa2b3c9348c3d
7601a08e77ccb83ffcd4a3914286bb00e9b192cd627a029c864bb399103
04d7ff2ca1396f22aa32a28b121bc5bd9382dfdf1431987a5131576321ae
fbbf9ef96b9dc8bdbc6996491d8167a8e1e63283fefcf75e7cad45099bf97
7fe719a8a5fc245bd66b80bedd80bf62417760d25ce87dea0ce9a084c163
c5eee7a65ae5b5171bf29c329683aacc7eb99ee0c3900054580bd4155b4b
72ccf7144c6188987cd31e7826f5d9a9b08e758224ef34e2212d7a8f1b728
a93ae61ce57db88be52593fc3f1565a442c346795ff9ecc1184c9952a16b9
941b311d1a038fcab5636e302e6751cc1a141d3a243ca19ec74bec9226a0
80baf77c96ee71131b8ce4b057c126686c0c696c945c9f4a56fd1057cac66
fbc8b3e021974b1ec65560644578a6bcf1ba79f380ca8bdb2f9a4b40b7207
477076d069999533e0150be06a20ba74d5378b942e1d1a0b5f0e66da3aa9b
bd0fb46b8e16d71d9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0cf5fb401
7483cdf1d5eb659ebc9cd7d19588d93592de0a807cfb1a332aa0d886a6981e
7dee16d621cde40c325fcf179242831a145fd918ca7288d9dc2426f9db2d962
a444391aa3ddf75882faad0b67c9eda00aae384b2f9509fa48945ae820903912
a902e50c075343ab20228a8c0c094722bbff71c4a2a2f80f51188dc9aea69786
8864d88925d64c26abc

RAT:
238a1d2be44b684f5fe848081ba4c3e6ff821917

Follow us on TwitterLinkedinFacebook for daily Security updates & Hacking news. Have you got something to say about this content? Let us know by the comment below.

You may like these posts

  1. To insert a code use <i rel="pre">code_here</i>
  2. To insert a quote use <b rel="quote">your_qoute</b>