State-sponsored hackers in China are targeting military and aerospace interests in Russia and Belarus.
Since summer of last year, a group of hackers began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails, according to researchers from Proofpoint.
In a blog post, the researchers said that attackers also continued to send spear-phishing emails with Microsoft Word attachments utilizing CVE-2012-0158 to exploit the client. These documents were built with MNKit.
In one example, an email with subject “Федеральная целевая программа 2017-2020 гг.” (translated from Russian: “Federal Target Program 2017-2020 gg.”) contained an attachment “2017-2020.doc” and was sent to a potential victim in an aerospace company in December 2016.
Previously, the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158, or URLs linking to RAR-compressed executables. Researchers said that although some of these patterns of behaviour still continue, in June 2016 they observed the attackers using a new type of dropper to deliver a previously unknown malware which has been dubbed "ZeroT".
When a victim opens the help file, Russian text is displayed and a User Account Control window appears to allow execution of an unknown application. If the victim approves the request, the ZeroT downloader is installed. This then tries to contact a C&C server to upload information about the victim's system. It also drops a variant of the PlugX RAT using steganography to hide the malware in an image of pop singer Britney Spears.
“This APT activity represents both a change in TTPs as well as the introduction of new malware known as ZeroT by a Chinese state-sponsored attack group that we have previously associated with multiple campaigns,” said the researchers.
“Proofpoint researchers have predicted that APT activity will continue to increase in the coming year and we will continue to track developments among state-sponsored actors.”
Tony Rowan, chief security consultant at SentinelOne told SC Magazine that given the the prolific activities of the Chinese threat actor groups, it's difficult to say that they have in fact focused on Russia or Belarus.
“I believe it's more likely that it is just part of their continued general activity. And, given the nature of the targets they are working on, it appears to be part of their normal industrial and military intelligence gathering process,” he said.
He added that with a new president in place in the US, it is likely that we will see increased activity from China and other interested parties.
“Many will be interested to know and possibly confirm the allegations of Russian involvement with President Trump and cyber-espionage is a useful tool in efforts to uncover any nefarious activity. That kind of information could be used in many ways and is pure gold in terms of information. If those e-crumbs exist, they will surely be found,” he said.