Experts Uncover Yet Another Chinese Spying Campaign Aimed at Southeast Asia
An ongoing cyber-espionage operation with suspected ties to China has been found targeting a Southeast Asian government to deploy spyware on Windows systems while staying under the radar for more than three years.
“In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor on victim’s machines,” researchers from Check Point Research said in a report published today.
The infection chain works by sending decoy documents, impersonating other entities within the government, to multiple members of the Ministry of Foreign Affairs, which, when opened, retrieves a next-stage payload from the attacker’s server that contains an encrypted downloader. The downloader, in turn, gathers and exfiltrates system information to a remote server that subsequently responds back with a shellcode loader.
The use of weaponized copies of legitimate-looking official documents also suggests that “the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs,” said Lotem Finkelsteen, head of threat intelligence at Check Point.
The last link in the attack involves the loader establishing a connection with the remote server to download, decrypt, and execute an implant dubbed “VictoryDll_x86.dll” that’s capable of performing file operations, capturing screenshots, creating and terminating processes, and even shutting down the infected machine.
Check Point said the adversary placed significant effort into concealing its activity by changing the infrastructure multiple times since its development in 2017, with the backdoor receiving its own fair share of revisions to make it more resilient to analysis and decrease the detection rates at each stage.
