• Home
  • |
  • Blog
  • |
  • Researchers Identified New Chinese Spying Campaign Targeting Southeast Asia
New Chinese Spying Campaign

Researchers identified a new Chinese spying campaign targeting a Southeast Asian government, especially the Ministry of Foreign Affairs. Attackers have used spear-phishing techniques to implant the previously unknown backdoor on Victims. Further analysis reveals that attackers have used old Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to access the victim’s machines.

Who Is Behind This New Chinese Spying Campaign?

Several facts made researchers suspects that this new Chinese spying campaign has been linked to a Chinese advanced persistent threat (APT) group “SharpPanda”.

Targets Of This New Chinese Spying Campaign?

As we said earlier, these surveillance operations were seen targeting the Southeast Asian Government, interestingly more on the Ministry of Foreign Affairs department. Attackers were not just interested in spying on the official assets but also tried targeting the victim’s personal assets to gather more as much information as they can. Moreover, researchers warn that this spying campaign could be expanded to other targets around the world.

How Is This New ‘Chinese Spying Campaign’ Operated?

  1. Threat actors weaponize a DOCX file which impersonates official document from other departments of the government.
  2. That fake government document would be delivered to multiple members of the Ministry of Foreign Affairs using various social engineering techniques.
  3. When the person opens the document, the document will download a new next-level payload from the attacker’s remote server that contains an encrypted downloader. The downloader is an RTF file weaponized using a variant of a tool named RoyalRoad. A tool used to create custom Microsoft documents with embedded objects. Attackers used this tool to load the exploits of Microsoft Word. Threat actors decrypt the RTF file using the RC4 algorithm with the key 123456. The decrypted file is saved as 5.t in the %Temp% folder. Research revealed that the 5.t file creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.
  4. The downloader (5.t) will start sharing information with the attacker’s remote server “HTTPS://<C&C IP>/<working_folder>/Main.php?Data=<encrypted_data>” and subsequently responds back with a shellcode loader “HTTPS://<C&C IP>/<working_folder>/buy/<hostname>.html”. The downloader can gather information such as the victim’s computer hostname, OS name, and version, system type (32/64 bit), user name, MAC addresses of the networking adapters. It also capable of querying WMI for anti-virus detection.
  5. At the last phase of the attack, the loader connects with the remote server from where an implant a backdoor dubbed “VictoryDll_x86.dll” will get downloaded and executed. Click here to read the full analysis.

This backdoor is capable of doing many operations like:

  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown PC

Backdoor Commands

Message TypeType IDArgumentsSource
Send victim’s information0x2InfoVictim
CDROM drives data0x4– / Drives dataBoth
Get Files data0x5/0x6Path / Files dataBoth
Create Process0x7Command LineC&C server
Rename File0x8Old filename, New filenameC&C server
Delete File0x9FilenameC&C server
Read File0xaFilename, Offset / File’s contentBoth
Exit Pipe0xbC&C server
Create Pipe0xcC&C server
Write To Pipe0xdBufferC&C server
Get Uninstalled software data0xe– / Software dataBoth
Get windows text0xf– / Windows textBoth
Get active processes data0x10– / Processes dataBoth
Terminate Process0x11Process IDC&C server
Get screenshot0x12/0x13– / Screenshot temp fileBoth
Get services data0x14– / Services dataBoth
Get TCP/UDP tables0x15– / Tables dataBoth
Get registry key data0x16Registry path / Reg dataBoth
Shutdown0x17C&C server
Exit process0x18C&C server
Restart current process0x19C&C server
Write to file0x4C7Filename, BufferC&C server
Start Connection0x540Zero ByteVictim
Get victim’s information/Update XOR key0x541New XOR key / Victim’s infoBoth
None0x120EC&C server
Ack0x129D3Name (‘admin’ in our case)Victim

Indicators Of Compromise

Documents

278c4fc89f8e921bc6c7d015e3445a1cc6319a66
42be0232970d5274c5278de77d172b7594ff6755
f9d958c537b097d45b4fca83048567a52bb597bf
fefec06620f2ef48f24b2106a246813c1b5258f4
548bbf4b79eb5a173741e43aa4ba17b92be8ed3a
417e4274771a9614d49493157761c12e54060588

Executables

03a57262a2f3563cf0faef5cde5656da437d58ce 5.t
388b7130700dcc45a052b8cd447d1eb76c9c2c54 5.t
176a0468dd70abe199483f1af287e5c5e2179b8c 5.t
01e1913b1471e7a1d332bfc8b1e54b88350cb8ad loader
8bad3d47b2fc53dc6f9e48debac9533937c32609 ServExe (x64)
0a588f02e60de547969d000968a458dcdc341312 VictoryDll

C&C servers

45.91.225[.]139
107.148.165[.]151
45.121.146[.]88

Old backdoor versions

MClient:

aa5458bdfefe2a97611bb0fd9cf155a06f88ef5d
4da26e656ef5554fac83d1e02105fad0d1bd7979
f8088c15f9ea2a1e167d5fa24b65ec356939ba91
0726e56885478357de3dce13efff40bfba53ddc2
7855a30e933e2b5c3db3661075c065af2e40b94e
696a4df81337e7ecd0ea01ae92d8af3d13855c12
abaaab07985add1771da0c086553fef3974cf742
7a38ae6df845def6f28a4826290f1726772b247e

Autostart_DLL:

e16b08947cc772edf36d97403276b14a5ac966d0
c81ba6c37bc5c9b2cacf0dc53b3105329e6c2ecc
a96dfbad7d02b7c0e4a0244df30e11f6f6370dde
6f5315f9dd0db860c18018a961f7929bec642918

Conclusion:

Researchers discovered that this Chinese spying campaign has been active for more than three years. And this campaign could be expanded to other targets around the world.

If you find this interesting please read more interesting articles here:

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.