Advanced malware linked to South China Sea cyber-attacks

NanHai means South Sea, Shu means Rat, the animal.
NanHai means South Sea, Shu means Rat, the animal.

F-Secure Labs has uncovered a strain of malware that appears to be targeting parties involved in the South China Sea territorial dispute.

The issue is a dispute between the Philippines, China and others over territory and sovereignty over ocean areas, and the Paracels and the Spratlys - two island chains claimed in whole or in part by several countries.

The malware, dubbed NanHaiShu (literally translated as South Sea Rat), by F-Secure researchers, is a Remote Access Trojan that allows attackers to exfiltrate data from infected machines.

NanHaiShu is spread via carefully crafted spear-phishing emails that contain industry-specific terms relevant to each of the targeted organisations, indicating the emails were deliberately designed with the exact targets in mind.

The email's attached file contains a malicious macro that executes an embedded JScript file. Once installed on a machine, NanHaiShu sends information from the infected machine to a remote server, and is able to download any file the attacker wishes.

The technical analysis exposed the malware's notable orientation towards code and infrastructure associated with developers in mainland China.

Owing to that, and to the fact that the selection of organisations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government, F-Secure researchers suspect the malware to be of Chinese origin.

The malware and its use leading up to the 12th July case ruling are detailed in a new F-Secure report, NanHaiShu: RATing the South China Sea.

Erka Koivunen, cyber-security advisor at F-Secure told SCMagazineUK.com: “This APT (advanced persistent threat) malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea.”  

Targeted organisations identified in the report include the Department of Justice of the Philippines, which has been involved in the case filed by the Philippines against China; the organisers of Asia-Pacific Economic Cooperation (APEC) Summit, which was held in the Philippines in November 2015; and a major international law firm.

Koivunen explained: “Not only are the targeted organisations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings.”

“If in fact our researchers' suspicions are correct, it could be that the Chinese were using cyber-espionage to gain better visibility into the legal proceedings,” says Koivunen.

Sign up to our newsletters