Chinese Hackers Exploit MS Word Vulnerability to Drop Malware
Researchers discovered a new COVID-19 campaign to initiate the unknown malware in Windows by Chinese-based APT threat actors by taking advantage of Corona virus scare to deliver it.
Collected evidence in this attack indicates the use of royal road, an rtf weaponized identified by anomali, to arm the rtf documents. Often named “8.t RTF exploit creator that’s mainly Used here to exploit Microsoft word’s equation editor vulnerabilities.
This attack, suspected to have been initiated by the Long-running APT group that targets various government and private sectors, leverages the COVID-19 pandemic to infect the victims and cause the disease.
Few of the malicious documents were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign Affairs and the document contains information about the new Coronavirus infections.Infection Vectors
Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited, and the new file named intel.wll is dropped into the Word startup folder.
This is one of the new versions of the RoyalRoad weaponizer persistence technique that helps to launch all the DLL files with a WLLextension in the Word Startup folder whenever the MS word application is launched by the victim and trigger the infection chain.
Also, this technique prevents and terminates the process of malware from running in the sandbox.
After the intel.wll DLL loaded, it proceeds to download and decrypt the next stage of the infection chain from the C2 server ( 95.179.242[.]6).
In this next stage also a DLL file that is uncovered as the main loader of this malware framework developed by the APT actors, to gain the additional functionality from the other C2 servers.
According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received.
The malware contains the RAT Module which contains the following core capabilities;
- Take a screenshot
- List files and directories
- Create and delete directories
- Move and delete files
- Download a file
- Execute a new process
- Get a list of all services
All the C&C servers were hosted on Vultr servers, and the domains were registered via the GoDaddy registrar.
Indicators of Compromise