Abstract
This presentation will cover the long-running attack campaigns targeting South Asian officials mainly working in the government, oil, media and maritime sectors as well as defence contractors, universities (particularly those with military research ties) and legal organizations. The main motivation behind these attacks is espionage aligned with commercial and South China Sea issues for intellectual property theft and military espionage.
Attackers use multi-stage attack techniques to target their victims during their campaigns. During the reconnaissance stage, they collect lots of information such as the software and applications that are vulnerable at the customer end. Over the past few years, attackers have been using poisoned Microsoft Office documents as one of their preferred infection vectors for cybercrime and cyber espionage attacks. It doesn’t take long for malware authors to integrate novel techniques into their own exploit kits and attack ordinary users. Attackers quickly adopt most of these application CVEs.
In the campaigns we analysed, it was identified that multiple APT groups (namely Leviathon, Goblin Panda, Winnti and Sidewinder) targeted South Asian countries using the Microsoft Office vulnerabilities CVE-2017-11882, CVE-2017-0199 and CVE-2017-8759. From fellow researchers’ APT research, it was also identified that a unique object dimension present in RTF phishing files was weaponized with CVE-2017-11882 and CVE-2018-0802, which appear to be utilized by numerous Asian APT groups. The identified RTFs all share a unique object height and width, which determine how the object will be rendered in Microsoft Word. We used this to expand our research to track APT groups.
Once the victim executes the poisoned Microsoft Office files, the shellcode that decrypts the final payload in memory was identified to use one constant file name, ‘8.t’, across all the campaigns. Some of the identified payloads are NewCore RAT, Hawkball backdoor, Fucobha, QCRat, PlugX, htpRAT and an unnamed RAT. Most of these remote administration tools relied on the DLL side‑loading technique to survive on reboot. It is very rare to see possibly different APT groups using the same shellcode name and two different shellcode decryption logics to drop and execute final RAT payloads on victim machines, across different identified APT campaigns. It was also identified that attackers came back to target almost the same victim organizations in South Asian countries over this time. At a certain time, the APT groups likely had an infrastructure overlap.
Attackers continued using the same trends and traits with minimum modification to target the same victims, regions and sectors, which makes us belief that they may have shared TTPs, code and infrastructure to steal intellectual data from victim organizations. Many filenames and attacker command-and-control domains collected during the investigation used themes related to the victim country current affairs or organizations.